diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 30c4423927..557504605e 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -16,9 +16,10 @@ ms.topic: article # Add or hide features on the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 The Windows client operating systems include more features that you and your users can install. These features are called [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (opens another Microsoft web site), and can be installed at any time. On your organization-owned devices, you may want to control access to these other features. diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 2b8eb78f4d..ba98c209b2 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Add or Remove an Administrator by Using the Management Console (Windows 10) +title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to add or remove an administrator by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedures to add or remove an administrator on the Microsoft Application Virtualization (App-V) server. diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index d09522b1ba..a91752fa7d 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Add or Upgrade Packages by Using the Management Console (Windows 10) +title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to add or upgrade packages by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**. diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index fd18bc7d76..92659b1ce8 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -1,5 +1,5 @@ --- -title: Administering App-V by using Windows PowerShell (Windows 10) +title: Administering App-V by using Windows PowerShell (Windows 10/11) description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Administering App-V by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) supports Windows PowerShell cmdlets that give administrators a quick and easy way to manage App-V. The following sections will tell you more about how to use Windows PowerShell with App-V. diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index 9b26750d0e..32b6f0bef7 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: Administering App-V Virtual Applications by using the Management Console (Windows 10) +title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11) description: Administering App-V Virtual Applications by using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Administering App-V Virtual Applications by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers running the App-V client. One or more management servers typically share a common data store for configuration and package information. diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index af9ea8e786..728de7998a 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -1,5 +1,5 @@ --- -title: Only Allow Admins to Enable Connection Groups (Windows 10) +title: Only Allow Admins to Enable Connection Groups (Windows 10/11) description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to allow only administrators to enable connection groups ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can configure the App-V client so that only administrators, not users, can enable or disable connection groups. In earlier versions of App-V, there was no way to restrict access to disabling connection groups to users. diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 130ad633ee..0c949d9dd5 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -1,5 +1,5 @@ --- -title: Application Publishing and Client Interaction (Windows 10) +title: Application Publishing and Client Interaction (Windows 10/11) description: Learn technical information about common App-V Client operations and their integration with the local operating system. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Application publishing and client interaction ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This article provides technical information about common App-V Client operations and their integration with the local operating system. diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index bf6f0effd2..a8a744e7e2 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -1,6 +1,6 @@ --- -title: Apply deployment config file via Windows PowerShell (Windows 10) -description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10. +title: Apply deployment config file via Windows PowerShell (Windows 10/11) +description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # How to apply the deployment configuration file by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file. diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index 851e74f1e6..1650a46de5 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -1,6 +1,6 @@ --- -title: How to apply the user configuration file by using Windows PowerShell (Windows 10) -description: How to apply the user configuration file by using Windows PowerShell (Windows 10). +title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11) +description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # How to apply the user configuration file by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run. diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index fe2fe8690a..7875e506a1 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -1,5 +1,5 @@ --- -title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,11 @@ ms.topic: article --- # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. -In Windows 10, version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: +Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: - Using the **New-BatchAppVSequencerPackages** cmdlet - Using the App-V Sequencer interface diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 24651988b3..3ce6b6faac 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -1,5 +1,5 @@ --- -title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,11 @@ ms.topic: article --- # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Updating multiple apps at the same time follows a similar process to the one used for [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However, when updating, you'll also have to pass your previously created app package files to the App-V Sequencer cmdlet. -Starting with Windows 10, version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. >[!NOTE] >If you're trying to sequence multiple apps at the same time, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index acf7bb3cdf..38ab629d22 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -1,5 +1,5 @@ --- -title: Auto-remove unpublished packages on App-V client (Windows 10) +title: Auto-remove unpublished packages on App-V client (Windows 10/11) description: How to automatically clean up any unpublished packages on your App-V client devices. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,9 @@ ms.topic: article --- # Automatically clean up unpublished packages on the App-V client ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. +If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Starting with Windows 10 version 1703, use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. ## Clean up with PowerShell cmdlets diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 1acb2935e3..f9e98f0849 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -1,5 +1,5 @@ --- -title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,9 @@ ms.topic: article --- # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. +Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Starting with Windows 10 version 1703, the `New-AppVSequencerVM` and `Connect-AppvSequencerVM` Windows PowerShell cmdlets are available, which automatically create your sequencing environment for you, including provisioning your virtual machine. ## Automatic VM provisioning of the sequencing environment @@ -54,7 +54,7 @@ For this process to work, you must have a base operating system available as a V After you have a VHD file, you must provision your VM for auto-sequencing. -1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). 2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server). 3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters: @@ -93,7 +93,7 @@ If your apps require custom prerequisites, such as Microsoft SQL Server, we reco #### Provision an existing VM -1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +1. On the Host device, install the Windows client and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). 2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters: diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index 2b73883501..107fab760e 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -1,5 +1,5 @@ --- -title: Available Mobile Device Management (MDM) settings for App-V (Windows 10) +title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11) description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,22 +14,22 @@ ms.topic: article --- # Available Mobile Device Management (MDM) settings for App-V -With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page. +Starting with Windows 10 version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page. |Policy name|Supported versions|URI full path|Data type|Values| |---|---|---|---|---| -|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| -|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| -|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| -|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| -|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| -|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| -|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| -|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| -|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| -|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| -|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
- **1**: Unpublish groups failed during publish.
- **2**: Publish no-group packages failed during publish.
- **3**: Publish group packages failed during publish.
- **4**: Unpublish packages failed during publish.
- **5**: New policy write failed during publish.
- **6**: Multiple non-fatal errors occurred during publish.| -|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.| -|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.| -|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| -|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| \ No newline at end of file +|Name|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| +|Version|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| +|Publisher|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| +|InstallLocation|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| +|InstallDate|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| +|Users|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| +|AppVPackageID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| +|AppVVersionID|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| +|AppVPackageUri|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| +|LastError|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| +|LastErrorDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
- **1**: Unpublish groups failed during publish.
- **2**: Publish no-group packages failed during publish.
- **3**: Publish group packages failed during publish.
- **4**: Unpublish packages failed during publish.
- **5**: New policy write failed during publish.
- **6**: Multiple non-fatal errors occurred during publish.| +|SyncStatusDescription|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.| +|SyncProgress|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.| +|PublishXML|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| +|Policy|Windows 10/11|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| \ No newline at end of file diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 76f23f4537..75a7a8d6ec 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -1,5 +1,5 @@ --- -title: App-V Capacity Planning (Windows 10) +title: App-V Capacity Planning (Windows 10/11) description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index b0821ae348..f66d17b837 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -1,5 +1,5 @@ --- -title: About Client Configuration Settings (Windows 10) +title: About Client Configuration Settings (Windows 10/11) description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About Client Configuration Settings ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). @@ -29,7 +29,7 @@ The following table provides information about App-V client configuration settin |------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-PackageInstallationRoot**
String | Specifies directory where all new applications and updates will be installed. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-PackageSourceRoot**
String | Overrides source location for downloading package content. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-AllowHighCostLaunch**
True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows 10 machines connected by a metered network connection (for example, 4G). | 0 | +| Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-AllowHighCostLaunch**
True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows client machines connected by a metered network connection (for example, 4G). | 0 | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-ReestablishmentRetries**
Integer (0–99) | Specifies the number of times to retry a dropped session. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-ReestablishmentInterval**
Integer (0–3600) | Specifies the number of seconds between attempts to reestablish a dropped session. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
Set-AppvPublishingServer

**-LocationProvider**
String | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | Policy value not written (same as Not Configured) | diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index 82dca3e617..92657e83fa 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to configure access to packages by using the Management Console (Windows 10) +title: How to configure access to packages by using the Management Console (Windows 10/11) description: How to configure access to packages by using the App-V Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to configure access to packages by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group. diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 12b44773a7..c2d3446d5e 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -1,5 +1,5 @@ --- -title: How to make a connection group ignore the package version (Windows 10) +title: How to make a connection group ignore the package version (Windows 10/11) description: Learn how to make a connection group ignore the package version with the App-V Server Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to make a connection group ignore the package version -> Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create. diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index 9dadc20365..b4b2fc014d 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -1,5 +1,5 @@ --- -title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10) +title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11) description: How to configure the client to receive package and connection groups updates from the publishing server. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to configure the client to receive package and connection groups updates from the publishing server ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V publishing server's single-point management and high scalability lets you deploy packages and connection groups and keep them up to date. diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index b2414c2635..48b893e5af 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to connect to the Management Console (Windows 10) +title: How to connect to the Management Console (Windows 10/11) description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to connect to the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to connect to the App-V Management Console. diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index 70072685d4..b73008a5ac 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -1,5 +1,5 @@ --- -title: About the connection group file (Windows 10) +title: About the connection group file (Windows 10/11) description: A summary of what the connection group file is and how to configure it. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About the connection group file ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## Connection group file overview diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index a1a9c16649..dcd72b455c 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,5 +1,5 @@ --- -title: About the connection group virtual environment (Windows 10) +title: About the connection group virtual environment (Windows 10/11) description: Learn how the connection group virtual environment works and how package priority is determined. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About the connection group virtual environment ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## How package priority is determined diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 44e0487b4e..1088fd28a2 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,5 +1,5 @@ --- -title: How to convert a package created in a previous version of App-V (Windows 10) +title: How to convert a package created in a previous version of App-V (Windows 10/11) description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to convert a package created in a previous version of App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use the package converter utility to upgrade virtual application packages created by previous versions of App-V. This section will tell you how to convert existing virtual application packages for upgrade. @@ -28,9 +28,9 @@ The package converter can only directly convert packages created by an App-V seq ## App-V 4.6 installation folder is redirected to virtual file system root -When you convert packages from App-V 4.6 to App-V for Windows 10, the App-V for Windows 10 package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) +When you convert packages from App-V 4.6 to App-V for Windows 10/11, the App-V for Windows client package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) -The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows 10 client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. +The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. ## Getting started @@ -50,9 +50,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages ``` - In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. + In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. - Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. + Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. > [!NOTE] > Before you specify the output directory, you must create the output directory. diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 1b3212816f..70409e9d70 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,5 +1,5 @@ --- -title: How to create a connection croup with user-published and globally published packages (Windows 10) +title: How to create a connection croup with user-published and globally published packages (Windows 10/11) description: How to create a connection croup with user-published and globally published packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a connection croup with user-published and globally published packages ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods: diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 38fb3646e7..35002a1b2b 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to create a connection group (Windows 10) +title: How to create a connection group (Windows 10/11) description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a connection group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use these steps to create a connection group by using the App-V Management Console. To use Windows PowerShell to create connection groups, see [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md). diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 34f45644e9..877f356159 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to create a custom configuration file by using the App-V Management Console (Windows 10) +title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11) description: How to create a custom configuration file by using the App-V Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a custom configuration file by using the App-V Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see [About App-V dynamic configuration](appv-dynamic-configuration.md). diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 3e6fe295f1..79b713f591 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to create a package accelerator by using Windows PowerShell (Windows 10) +title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a package accelerator by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index 19d0617e41..c9eff04f48 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,5 +1,5 @@ --- -title: How to create a package accelerator (Windows 10) +title: How to create a package accelerator (Windows 10/11) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a package accelerator ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V Package Accelerators automatically generate new virtual application packages. diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index f091625f1a..7a9d9a8b7f 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,5 +1,5 @@ --- -title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) +title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11) description: How to create a virtual application package using an App-V Package Accelerator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to create a virtual application package using an App-V Package Accelerator ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to create a virtual application package with the App-V Package Accelerator. diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 4927af50b8..908c5fc16f 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,5 +1,5 @@ --- -title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) +title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,12 +14,12 @@ ms.topic: article --- # Create and apply an App-V project template to a sequenced App-V package ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use an App-V Project Template (.appvt) file to save commonly applied settings associated with an existing virtual application package. You can then apply these settings whenever you create new virtual application packages in your environment, streamlining the package creation process. App-V Project Templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V Project Templates can be applied to multiple applications. To learn more about package accelerators, see [How to create a package accelerator](appv-create-a-package-accelerator.md). >[!IMPORTANT] ->In Windows 10, version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. +>Starting with Windows 10 version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. ## Create a project template diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 0d5400a65a..6a372fbbdf 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,5 +1,5 @@ --- -title: Creating and managing App-V virtualized applications (Windows 10) +title: Creating and managing App-V virtualized applications (Windows 10/11) description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Creating and managing App-V virtualized applications ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. @@ -119,7 +119,7 @@ A template can specify and store multiple settings as follows: - **General Options**. Enables the use of **Windows Installer**, **Append Package Version to Filename**. - **Exclusion Items.** Contains the Exclusion pattern list. -In Windows 10, version 1703, running the **new-appvsequencerpackage** or **update-appvsequencepackage** cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, running the **new-appvsequencerpackage** or **update-appvsequencepackage** cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. >[!IMPORTANT] >If you attempt to load another template through the *_TemplateFilePath_* parameter while already having an auto-saved template, the customization value from the parameter will override the auto-saved template. diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index b6ed9b54af..4de66c5d97 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) +title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11) description: How to customize virtual application extensions for a specific AD group by using the Management Console. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to customize virtual applications extensions for a specific AD group by using the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to customize the virtual application extensions for an Active Directory (AD) group. diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index a252b5a53d..a1a8185b9a 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to delete a connection group (Windows 10) +title: How to delete a connection group (Windows 10/11) description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to delete a connection group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to delete an existing App-V connection group. diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 989346048b..775893310a 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to delete a package in the Management Console (Windows 10) +title: How to delete a package in the Management Console (Windows 10/11) description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to delete a package in the Management Console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to delete an App-V package. diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index 8fd2c674f6..5cdd91138e 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -1,5 +1,5 @@ --- -title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10) +title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11) description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 0d670783b7..a8477d90ae 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: How to deploy App-V packages using electronic software distribution (Windows 10) +title: How to deploy App-V packages using electronic software distribution (Windows 10/11) description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to deploy App-V packages using electronic software distribution ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 467272455a..ead9d82133 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,5 +1,5 @@ --- -title: How to Deploy the App-V Server Using a Script (Windows 10) +title: How to Deploy the App-V Server Using a Script (Windows 10/11) description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index e8fa0ac8b9..a29b019396 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -1,6 +1,6 @@ --- -title: How to Deploy the App-V Server (Windows 10) -description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10. +title: How to Deploy the App-V Server (Windows 10/11) +description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -32,7 +32,7 @@ ms.topic: article 1. Download the App-V server components. All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. - * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). + * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). 2. Copy the App-V server installation files to the computer on which you want to install it. diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 04cd90525d..148567438b 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying App-V (Windows 10) +title: Deploying App-V (Windows 10/11) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,9 +12,9 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Deploying App-V for Windows 10 +# Deploying App-V for Windows client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] App-V supports several different deployment options. Review this topic for information about the tasks that you must complete at different stages in your deployment. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 7a38ac29e7..5ec4cf5cad 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2010 by Using App-V (Windows 10) +title: Deploying Microsoft Office 2010 by Using App-V (Windows 10/11) description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2010 by Using App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can create Office 2010 packages for Microsoft Application Virtualization (App-V) using one of the following methods: @@ -37,7 +37,7 @@ Sequencing Office 2010 is one of the main methods for creating an Office 2010 pa ## Creating Office 2010 App-V packages using package accelerators -Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows: +Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10/11, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows: * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 8](https://gallery.technet.microsoft.com/App-V-50-Package-a29410db) * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 7](https://gallery.technet.microsoft.com/App-V-50-Package-e7ef536b) diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 778f467100..e895318669 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2013 by Using App-V (Windows 10) +title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2013 by Using App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. @@ -73,7 +73,7 @@ Before you start, make sure that the computer on which you are installing the Of You create Office 2013 App-V packages with the Office Deployment Tool. The following instructions explain how to create an Office 2013 App-V package with Volume Licensing or Subscription Licensing. -Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. +Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. ### Download the Office Deployment Tool @@ -148,7 +148,7 @@ After you download the Office 2013 applications through the Office Deployment To #### What you'll need to do -* Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10 computers. +* Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10/11 computers. * Create an Office App-V package for either the Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, then modify the **Customconfig.xml** configuration file. The following table summarizes the values you need to enter in the **Customconfig.xml** file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 654fa05a45..cbe270cf7d 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,5 +1,5 @@ --- -title: Deploying Microsoft Office 2016 by using App-V (Windows 10) +title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying Microsoft Office 2016 by using App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). @@ -64,7 +64,7 @@ The computer on which you are installing the Office Deployment Tool must have th | Prerequisite | Description | |----------------------|--------------------| | Prerequisite software | .Net Framework 4 | -| Supported operating systems | 64-bit version of Windows 10
64-bit version of Windows 8 or 8.1
64-bit version of Windows 7 | +| Supported operating systems | 64-bit version of Windows 10/11
64-bit version of Windows 8 or 8.1
64-bit version of Windows 7 | >[!NOTE] >In this topic, the term “Office 2016 App-V package” refers to subscription licensing. @@ -73,7 +73,7 @@ The computer on which you are installing the Office Deployment Tool must have th You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with subscription licensing. -Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. +Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10/11 computers. ### Download the Office Deployment Tool @@ -146,7 +146,7 @@ After you download the Office 2016 applications through the Office Deployment To #### What you’ll need to do -* Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers. +* Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10/11 computers. * Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the **Customconfig.xml** configuration file. The following table summarizes the values you need to enter in the **Customconfig.xml** file. The steps in the sections that follow the table will specify the exact entries you need to make. @@ -377,7 +377,7 @@ The following table describes the requirements and options for deploying Visio 2 ## Related topics -* [Deploying App-V for Windows 10](appv-deploying-appv.md) +* [Deploying App-V for Windows client](appv-deploying-appv.md) * [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) * [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) * [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 032233877b..9485202cc5 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying App-V packages by using electronic software distribution (ESD) ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can deploy App-V packages using an electronic software distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 9547612b38..bfd34cfcaa 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,5 +1,5 @@ --- -title: Deploying the App-V Sequencer and configuring the client (Windows 10) +title: Deploying the App-V Sequencer and configuring the client (Windows 10/11) description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Deploying the App-V Sequencer and configuring the client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V Sequencer and client let administrators to virtualize and run virtual applications. @@ -23,7 +23,7 @@ The App-V Sequencer and client let administrators to virtualize and run virtual The App-V client is the component that runs a virtualized application on a target computer. The client lets users interact with icons and file types, starting virtualized applications. The client can also get the virtual application content from the management server. >[!NOTE] ->In Windows 10, version 1607, App-V is included with the operating system. You only need to enable it. +>Starting with Windows 10 version 1607, App-V is included with the operating system. You only need to enable it. [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 71d9510a36..5677a2f846 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -1,6 +1,6 @@ --- -title: Deploying the App-V Server (Windows 10) -description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article. +title: Deploying the App-V Server (Windows 10/11) +description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -19,9 +19,9 @@ ms.topic: article You can install the Application Virtualization (App-V) server components using different deployment configurations, which are described in this topic. Before you install the server features, review the server section of [App-V security considerations](appv-security-considerations.md). >[!NOTE] ->If you plan to use the App-V server components in your deployment, note that the version number is still listed as App-V 5.x, as the App-V server components have not changed in App-V for Windows 10. +>If you plan to use the App-V server components in your deployment, note that the version number is still listed as App-V 5.x, as the App-V server components have not changed in App-V for Windows client. -To learn more about deploying App-V for Windows 10, read [What's new in App-V](appv-about-appv.md). +To learn more about deploying App-V for Windows client, read [What's new in App-V](appv-about-appv.md). >[!IMPORTANT] >Before installing and configuring the App-V servers, you must specify the port or ports where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports, as the installer does not modify firewall settings. @@ -49,7 +49,7 @@ App-V offers the following five server components, each of which serves a specif All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. -* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). +* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home). In large organizations, you might want to install more than one instance of the server components to get the following benefits. diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index 4183212c31..aa72671760 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -1,5 +1,5 @@ --- -title: App-V Deployment Checklist (Windows 10) +title: App-V Deployment Checklist (Windows 10/11) description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # App-V Deployment Checklist ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This checklist outlines the recommended steps and items to consider when deploying App-V features. Use it to organize your priorities while you deploy App-V. You can copy this checklist into a spreadsheet program and customize it for your use. diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 8d5b3cafad..26a4d6b23c 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -1,5 +1,5 @@ --- -title: About App-V Dynamic Configuration (Windows 10) +title: About App-V Dynamic Configuration (Windows 10/11) description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About App-V dynamic configuration ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file. @@ -562,7 +562,7 @@ The following table describes the various script events and the context under wh ### Using multiple scripts on a single event trigger -App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows 10. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. +App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows client. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. #### How to use multiple scripts on a single event trigger diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 93ddd8f4d6..bd42de3c84 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10) +title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10/11) description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to enable only administrators to publish packages by using an ESD ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks. diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 8b6dd8e9fc..3983d8787c 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10) +title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,8 +14,7 @@ ms.topic: article --- # How to Enable Reporting on the App-V Client by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to configure the App-V for reporting. diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index 7aa623a0a3..a0fd066d26 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -1,6 +1,6 @@ --- -title: Enable the App-V in-box client (Windows 10) -description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10. +title: Enable the App-V in-box client (Windows 10/11) +description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,11 +14,11 @@ ms.topic: article --- # Enable the App-V in-box client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The App-V client is the component that runs virtualized applications on user devices. Once you enable the client, users can interact with icons and file names to start virtualized applications. The client can also get virtual application content from the management server. -With Windows 10, version 1607, the App-V client is installed automatically. However, you'll still need to enable the client yourself to allow user devices to access and run virtual applications. You can set up the client with the Group Policy editor or with Windows PowerShell. +Starting with Windows 10 version 1607, the App-V client is installed automatically. However, you'll still need to enable the client yourself to allow user devices to access and run virtual applications. You can set up the client with the Group Policy editor or with Windows PowerShell. Here's how to enable the App-V client with Group Policy: diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 731ea42546..e15b0a5209 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,6 +1,6 @@ --- -title: Evaluating App-V (Windows 10) -description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. +title: Evaluating App-V (Windows 10/11) +description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -15,8 +15,7 @@ ms.author: greglin # Evaluating App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 51b2a21a10..32c7f7e7ef 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,5 +1,5 @@ --- -title: Application Virtualization (App-V) (Windows 10) +title: Application Virtualization (App-V) (Windows 10/11) description: See various topics that can help you administer Application Virtualization (App-V) and its components. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,9 +12,9 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Application Virtualization (App-V) for Windows 10 overview +# Application Virtualization (App-V) for Windows client overview ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index fd20851076..0e3c91919c 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,6 +1,6 @@ --- -title: Getting Started with App-V (Windows 10) -description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications. +title: Getting Started with App-V (Windows 10/11) +description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -12,35 +12,35 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Getting started with App-V for Windows 10 +# Getting started with App-V for Windows client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] -Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. +Microsoft Application Virtualization (App-V) for Windows delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. -With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). +Starting with Windows 10 version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows client and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). -If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). +If you’re already using App-V, performing an in-place upgrade to Windows 10/11 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10/11, see [Upgrading to App-V for Windows from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md). >[!IMPORTANT] >You can upgrade your existing App-V installation to App-V for Windows from App-V versions 5.0 SP2 and higher only. If you are using an earlier version of App-V, you’ll need to upgrade your existing App-V installation to App-V 5.0 SP2 before upgrading to App-V for Windows. To learn more about previous versions of App-V, see [MDOP information experience](/microsoft-desktop-optimization-pack/index). -## Getting started with App-V for Windows 10 (new installations) +## Getting started with App-V for Windows (new installations) -To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table describes the App-V for Windows 10 components, what they do, and where to find them. +To start using App-V to deliver virtual applications to users, you’ll need to download, enable, and install server- and client-side components. The following table describes the App-V for Windows client components, what they do, and where to find them. | Component | What it does | Where to find it | |------------|--|------| -| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| -| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10, version 1607.

To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | -| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | +| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| +| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | Starting with Windows 10 version 1607, the App-V client is automatically installed.

To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | +| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows client](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | For more information about these components, see [High Level Architecture for App-V](appv-high-level-architecture.md). diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 7c11b77a24..62ec6658b4 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -1,5 +1,5 @@ --- -title: High-level architecture for App-V (Windows 10) +title: High-level architecture for App-V (Windows 10/11) description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # High-level architecture for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following information to simplify your Microsoft Application Virtualization (App-V) deployment. diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index b0daa8e5c6..446fb2362d 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10) +title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index b48c88fe55..2f8a941579 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -1,5 +1,5 @@ --- -title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10) +title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 9a7bb5df47..c7c54d8a32 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -1,5 +1,5 @@ --- -title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10) +title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11) description: How to install the Management Server on a Standalone Computer and Connect it to the Database author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index 3ac42e959a..261eb206aa 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,5 +1,5 @@ --- -title: Install the Publishing Server on a Remote Computer (Windows 10) +title: Install the Publishing Server on a Remote Computer (Windows 10/11) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index 41fb1e6ffa..f2848972d7 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -1,5 +1,5 @@ --- -title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10) +title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 9bde5d0531..410d7b4f25 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -1,5 +1,5 @@ --- -title: Install the App-V Sequencer (Windows 10) +title: Install the App-V Sequencer (Windows 10/11) description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,11 +14,11 @@ ms.topic: article --- # Install the App-V Sequencer ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. Those devices must be running the App-V client to allow users to interact with virtual applications. -The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit (Windows ADK). +The App-V Sequencer is included in the Windows client Assessment and Deployment Kit (Windows ADK). >[!NOTE] >The computer that will run the sequencer must not have the App-V client enabled. As a best practice, choose a computer with the same hardware and software configurations as the computers that will run the virtual applications. The sequencing process is resource-intensive, so make sure the computer that will run the Sequencer has plenty of memory, a fast processor, and a fast hard drive. diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index 3f38081e58..081235fe4b 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -1,5 +1,5 @@ --- -title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10) +title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to load the Windows PowerShell cmdlets for App-V and get cmdlet help ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] ## Requirements for using Windows PowerShell cmdlets @@ -82,7 +82,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats: |App-V Sequencer|**Update-Help -Module AppvSequencer**| |App-V Client|**Update-Help -Module AppvClient**| -* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started?view=win-mdop2-ps). +* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started). ## Displaying the help for a Windows PowerShell cmdlet diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 6375ae29ad..b67604f857 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,6 +1,6 @@ --- -title: Maintaining App-V (Windows 10) -description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. +title: Maintaining App-V (Windows 10/11) +description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,9 +14,9 @@ ms.topic: article --- # Maintaining App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. +After you have deployed App-V for Windows client, you can use the following information to maintain the App-V infrastructure. ## Moving the App-V server diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index 278b757481..102c1d61e6 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) +title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10/11) description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to manage App-V packages running on a stand-alone computer by using Windows PowerShell ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets. diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index 5333448a99..88a684ce46 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10) +title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] An App-V connection group allows you to run all the virtual applications as a defined set of packages in a single virtual environment. For example, you can virtualize an application and its plug-ins by using separate packages, but run them together in a single connection group. diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 1a1fed1187..bfbd7fe594 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -1,5 +1,5 @@ --- -title: Managing Connection Groups (Windows 10) +title: Managing Connection Groups (Windows 10/11) description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Managing Connection Groups -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Connection groups enable the applications within a package to interact with each other in the virtual environment, while remaining isolated from the rest of the system. By using connection groups, administrators can manage packages independently and can avoid having to add the same application multiple times to a client computer. diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index da8bf8b6cc..894d080a23 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -1,6 +1,6 @@ --- -title: Migrating to App-V from a Previous Version (Windows 10) -description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version. +title: Migrating to App-V from a Previous Version (Windows 10/11) +description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -15,10 +15,9 @@ ms.author: greglin # Migrating to App-V from previous versions -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -To migrate from App-V 4.x to App-V for Windows 10, you must upgrade to App-V 5.x first. +To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first. ## Improvements to the App-V Package Converter @@ -34,7 +33,7 @@ You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom -New in App-V for Windows 10 +New in App-V for Windows client Prior to App-V for Windows 10 diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index 0cc6df1e55..69acd8e60e 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -1,5 +1,5 @@ --- -title: How to Modify an Existing Virtual Application Package (Windows 10) +title: How to Modify an Existing Virtual Application Package (Windows 10/11) description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Modify an Existing Virtual Application Package -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic explains how to: diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index ad99c8c0b2..552c9efd53 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10) +title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11) description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Modify Client Configuration by Using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to configure the App-V client configuration. diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index ea80b1f3c8..e3bd963ee4 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -1,5 +1,5 @@ --- -title: How to Move the App-V Server to Another Computer (Windows 10) +title: How to Move the App-V Server to Another Computer (Windows 10/11) description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index 91ddd5b656..08dba24e7a 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -1,5 +1,5 @@ --- -title: Operations for App-V (Windows 10) +title: Operations for App-V (Windows 10/11) description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Operations for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This section of the Microsoft Application Virtualization (App-V) Administrator’s Guide includes information about the various types of App-V administration and operating tasks that are typically performed by an administrator. This section also includes step-by-step procedures to help you successfully perform those tasks. diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index dba895b3b1..392ba61769 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -1,5 +1,5 @@ --- -title: Performance Guidance for Application Virtualization (Windows 10) +title: Performance Guidance for Application Virtualization (Windows 10/11) description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,11 +15,13 @@ ms.author: greglin # Performance Guidance for Application Virtualization -**Applies to** -- Windows 7 SP1 -- Windows 10 -- Server 2012 R2 -- Server 2016 +**Applies to**: + +- Windows 7 SP1 +- Windows 10 +- Windows 11 +- Server 2012 R2 +- Server 2016 Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. @@ -270,11 +272,11 @@ We recommend using User Experience Virtualization (UE-V) to capture and centrali For more information, see: -- [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows) +- [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows) - [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started) -In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows). +In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows). **Note**   Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index 50887ca724..90f3c89418 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -1,5 +1,5 @@ --- -title: App-V Planning Checklist (Windows 10) +title: App-V Planning Checklist (Windows 10/11) description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # App-V Planning Checklist ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This checklist can be used to help you plan for preparing your organization for an App-V deployment. diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 18032d260a..40386c2097 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -1,5 +1,5 @@ --- -title: Planning to Use Folder Redirection with App-V (Windows 10) +title: Planning to Use Folder Redirection with App-V (Windows 10/11) description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning to Use Folder Redirection with App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) supports the use of folder redirection, a feature that enables users and administrators to redirect the path of a folder to a new location. diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index f17f8cf5e9..b5f01d47c7 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning for the App-V Server Deployment (Windows 10) +title: Planning for the App-V Server Deployment (Windows 10/11) description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 9f7685040d..0f7c0bbb39 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -1,5 +1,5 @@ --- -title: Planning for App-V (Windows 10) +title: Planning for App-V (Windows 10/11) description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] > [!NOTE] > [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 4cdce6102f..f3e4e0b58f 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for high availability with App-V Server ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level. diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index f6e0a38b9e..f1c589ae07 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning for the App-V Sequencer and Client Deployment (Windows 10) +title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11) description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for the App-V Sequencer and Client Deployment ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Before you can use App-V, you must install the App-V Sequencer and enable the App-V client. You can also the App-V shared content store, although it isn't required. The following sections will tell you how to set these up. @@ -38,7 +38,7 @@ Ideally, you should install the sequencer on a computer running as a virtual mac ## Planning for App-V client deployment -In Windows 10, version 1607, the App-V client is included with the operating system. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). +Starting with Windows 10 version 1607, the App-V client is included with the operating system. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). ## Planning for the App-V Shared Content Store (SCS) diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 9db1afb81a..c5885a941b 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -1,5 +1,5 @@ --- -title: Planning for Deploying App-V with Office (Windows 10) +title: Planning for Deploying App-V with Office (Windows 10/11) description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning for deploying App-V with Office ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following information to plan how to deploy Office within Microsoft Application Virtualization (App-V). @@ -92,7 +92,7 @@ To bypass the auto-registration operation for native Word 2010, follow these ste * In Windows 7k, select **Start**, type **regedit** in the Start Search box, then select the Enter key. - * In Windows 8.1 or Windows 10, enter **regedit**, select **Enter** on the Start page, then select the Enter key. + * In Windows client, enter **regedit**, select **Enter** on the Start page, then select the Enter key. If you're prompted for an administrator password, enter the password. If you're prompted for a confirmation, select **Continue**. 3. Locate and then select the following registry subkey: diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index a5ab9870cf..12d3de4f82 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -1,5 +1,5 @@ --- -title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10) +title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10/11) description: Planning to Deploy App-V with an Electronic Software Distribution System author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # Planning to Deploy App-V with an electronic software distribution system ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv). diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 0b26e63e8a..3bb30afe33 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -1,5 +1,5 @@ --- -title: Planning to Deploy App-V (Windows 10) +title: Planning to Deploy App-V (Windows 10/11) description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,11 +12,11 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# Planning to Deploy App-V for Windows 10 +# Planning to Deploy App-V for Windows client ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -There are several different deployment configurations and requirements to consider before you deploy App-V for Windows 10. Review this topic for information about what you'll need to make a deployment plan that best meets your needs. +There are several different deployment configurations and requirements to consider before you deploy App-V for Windows client. Review this topic for information about what you'll need to make a deployment plan that best meets your needs. ## App-V supported configurations diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 9753d170ef..979f7a1094 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -1,5 +1,5 @@ --- -title: Preparing Your Environment for App-V (Windows 10) +title: Preparing Your Environment for App-V (Windows 10/11) description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V). ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: article --- # Preparing your environment for App-V ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] There are several different deployment configurations and prerequisites that you must consider before creating your deployment plan for Microsoft App-V. The following articles will help you gather the information you need to set up a deployment plan that best suits your business’ needs. diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index 2cdfd2d90c..0e3e61bac8 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -1,5 +1,5 @@ --- -title: App-V Prerequisites (Windows 10) +title: App-V Prerequisites (Windows 10/11) description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -12,11 +12,12 @@ manager: dansimp ms.author: greglin ms.topic: article --- -# App-V for Windows 10 prerequisites ->Applies to: Windows 10, version 1607 +# App-V for Windows client prerequisites -Before installing App-V for Windows 10, ensure that you have installed all of the following required prerequisite software. +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] + +Before installing App-V for Windows client, ensure that you have installed all of the following required prerequisite software. For a list of supported operating systems and hardware requirements for the App-V server, sequencer, and client, see [App-V Supported Configurations](appv-supported-configurations.md). @@ -26,7 +27,7 @@ The following table indicates the software that is already installed for differe |Operating system|Prerequisite description| |---|---| -|Windows 10|All prerequisite software is already installed.| +|Windows 10/11|All prerequisite software is already installed.| |Windows 8.1|All prerequisite software is already installed.
If you're running Windows 8, upgrade to Windows 8.1 before using App-V.| |Windows Server 2016|The following prerequisite software is already installed:
- Microsoft .NET Framework 4.5
- Windows PowerShell 3.0

Installing Windows PowerShell requires a restart.| |Windows 7|No prerequisite software is installed. You must install the software before you can install App-V.| diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 27eb277fc2..4297883e3a 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -1,5 +1,5 @@ --- -title: How to Publish a Connection Group (Windows 10) +title: How to Publish a Connection Group (Windows 10/11) description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to Publish a Connection Group ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] After you create a connection group, you must publish it to computers that run the App-V client. diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index c438b69062..f50ef817a3 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to publish a package by using the Management console (Windows 10) +title: How to publish a package by using the Management console (Windows 10/11) description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # How to publish a package by using the Management console ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package. diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index 7023d46bce..509d82740c 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10) +title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11) description: How to Register and Unregister a Publishing Server by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Register and Unregister a Publishing Server by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] You can register and unregister publishing servers that will synchronize with the App-V management server. You can also see the last attempt that the publishing server made to synchronize the information with the management server. diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index 993c86f316..8765ba9fa6 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -1,6 +1,6 @@ --- -title: Release Notes for App-V for Windows 10, version 1703 (Windows 10) -description: A list of known issues and workarounds for App-V running on Windows 10, version 1703. +title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11) +description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -13,12 +13,11 @@ ms.author: greglin --- -# Release Notes for App-V for Windows 10, version 1703 +# Release Notes for App-V for Windows 10 version 1703 and later -**Applies to** -- Windows 10, version 1703 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1703. +The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10 version 1703 and later @@ -106,7 +105,7 @@ The following are known issues and workarounds for Application Virtualization (A ## Related resources list -For information that can help with troubleshooting App-V for Windows 10, see: +For information that can help with troubleshooting App-V for Windows client, see: - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) - [The Official Microsoft App-V Team Blog](/archive/blogs/appv/) @@ -119,6 +118,6 @@ For information that can help with troubleshooting App-V for Windows 10, see:
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics -- [What's new in App-V for Windows 10](appv-about-appv.md) +- [What's new in App-V for Windows client](appv-about-appv.md) - [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index a777b5a01e..31fd82260d 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -1,5 +1,5 @@ --- -title: About App-V Reporting (Windows 10) +title: About App-V Reporting (Windows 10/11) description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # About App-V reporting ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Application Virtualization (App-V) includes a built-in reporting feature that collects information about computers running the App-V client and virtual application package usage. You can generate reports from a centralized database with this information. diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index d552115faf..b22a3ebbce 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -1,5 +1,5 @@ --- -title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10) +title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11) description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -18,6 +18,7 @@ ms.author: greglin **Applies to** - Windows 7 SP1 - Windows 10 +- Windows 11 - Windows Server 2012 R2 - Windows Server 2016 diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 02603d57b2..36f3d39141 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -1,5 +1,5 @@ --- -title: App-V Security Considerations (Windows 10) +title: App-V Security Considerations (Windows 10/11) description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,7 +14,7 @@ ms.topic: article --- # App-V security considerations ->Applies to: Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index 0c47bf69b6..c456583c56 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -1,5 +1,5 @@ --- -title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -14,9 +14,9 @@ ms.topic: article --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) ->Applies to: Windows 10, version 1607 and later +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -In Windows 10, version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +Starting with Windows 10 version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). ## Before you start sequencing diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 6a5a084f6a..60d9e3bf9e 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -1,5 +1,5 @@ --- -title: How to sequence a package by using Windows PowerShell (Windows 10) +title: How to sequence a package by using Windows PowerShell (Windows 10/11) description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Sequence a Package by using Windows PowerShell -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to create a new App-V package using Windows PowerShell. @@ -63,7 +62,7 @@ The following list displays additional optional parameters that can be used with - FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened. -In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. +Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. > [!IMPORTANT] > If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index f2d40d15b1..4fe89ecc0c 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -1,6 +1,6 @@ --- -title: App-V Supported Configurations (Windows 10) -description: Learn the requirements to install and run App-V supported configurations in your Windows 10 environment. +title: App-V Supported Configurations (Windows 10/11) +description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -14,9 +14,17 @@ ms.topic: article --- # App-V Supported Configurations ->Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update) +**Applies to**: -This topic specifies the requirements to install and run App-V in your Windows 10 environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). +- Windows 10 +- Windows 11 +- Window Server 2019 +- Windows Server 2016 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 (Extended Security Update) + +This topic specifies the requirements to install and run App-V in your Windows client environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md). ## App-V Server system requirements @@ -98,7 +106,7 @@ The following table lists the SQL Server versions that are supported for the App ## App-V client and Remote Desktop Services client requirements -With Windows 10, version 1607 and later releases, the App-V client is included with Windows 10 Enterprise and Windows 10 Education. The App-V client is no longer part of the Microsoft Desktop Optimization Pack. Before you can use the App-V client, it must be enabled, as described in [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). +Starting with Windows 10 version 1607, the App-V client is included with Windows Enterprise and Windows Education. The App-V client is no longer part of the Microsoft Desktop Optimization Pack. Before you can use the App-V client, it must be enabled, as described in [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). Similarly, the App-V Remote Desktop Services (RDS) client is included with Windows Server 2016 Standard and Windows Server 2016 Datacenter. diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index ec6e36ed71..378c6cf052 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -1,5 +1,5 @@ --- -title: Technical Reference for App-V (Windows 10) +title: Technical Reference for App-V (Windows 10/11) description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Technical Reference for App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This section provides reference information related to managing App-V. diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 28caecc4fa..52fd89cf85 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10) +title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11) description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to transfer the access and default package configurations to another version of a package by using the management console. diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index 2ee6c51728..0ca75469ad 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -1,5 +1,5 @@ --- -title: Troubleshooting App-V (Windows 10) +title: Troubleshooting App-V (Windows 10/11) description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,10 +15,9 @@ ms.author: greglin # Troubleshooting App-V -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -For information that can help with troubleshooting App-V for Windows 10, see: +For information that can help with troubleshooting App-V for Windows client, see: - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) @@ -33,9 +32,9 @@ For information that can help with troubleshooting App-V for Windows 10, see: ## Other resources -- [Application Virtualization (App-V) for Windows 10 overview](appv-for-windows.md) +- [Application Virtualization (App-V) for Windows client overview](appv-for-windows.md) -- [Getting Started with App-V for Windows 10](appv-getting-started.md) +- [Getting Started with App-V for Windows client](appv-getting-started.md) - [Planning for App-V](appv-planning-for-appv.md) diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index fd2a4d1bf4..cb48f4c88a 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -1,6 +1,6 @@ --- -title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10) -description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation. +title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11) +description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -12,14 +12,13 @@ manager: dansimp ms.author: greglin --- -# Upgrading to App-V for Windows 10 from an existing installation +# Upgrading to App-V for Windows client from an existing installation -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -If you’re already using App-V and you’re planning to upgrade user devices to Windows 10, you need to make only the following few adjustments to your existing environment to start using App-V for Windows 10. +If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client. -1. [Upgrade user devices to Windows 10](#upgrade-user-devices-to-windows-10). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. +1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-1011). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. 2. [Verify that App-V applications and settings were migrated correctly](#verify-that-app-v-applications-and-settings-were-migrated-correctly). @@ -31,13 +30,13 @@ If you’re already using App-V and you’re planning to upgrade user devices to These steps are explained in more detail below. -## Upgrade user devices to Windows 10 +## Upgrade user devices to Windows 10/11 -Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows 10 and Windows 10 Mobile document set](/windows/windows-10/) for information about upgrading user devices to Windows 10. +Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices. ## Verify that App-V applications and settings were migrated correctly -After upgrading a user device to Windows 10, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. +After upgrading a user device, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. To verify that the user’s App-V application packages were migrated correctly, type `Get-AppvClientPackage` in Windows PowerShell. @@ -45,7 +44,7 @@ To verify that the user’s App-V settings were migrated correctly, type `Get-Ap ## Enable the in-box App-V client -With Windows 10, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. +With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. **To enable the App-V client with Group Policy** diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index 1f463763a0..4d7ae4ff1a 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -1,5 +1,5 @@ --- -title: Using the App-V Client Management Console (Windows 10) +title: Using the App-V Client Management Console (Windows 10/11) description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # Using the App-V Client Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index 96494e493b..3e7c56d05e 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -1,5 +1,5 @@ --- -title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10) +title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11) description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -15,8 +15,7 @@ ms.author: greglin # How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console -**Applies to** -- Windows 10, version 1607 +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] Use the following procedure to view and configure default package extensions. diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index 8cb9a3b085..eebe3e0c35 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -1,5 +1,5 @@ --- -title: Viewing App-V Server Publishing Metadata (Windows 10) +title: Viewing App-V Server Publishing Metadata (Windows 10/11) description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization @@ -42,7 +42,7 @@ You can view the metadata for each request in an Internet browser by using a que ## Query syntax for viewing publishing metadata -This section provides information about queries for viewing publishing metadata for App-V 5.0 SP3 Server and App-V 5.1 server. The App-V server components have not changed since App-V 5.0 was released, so App-V 5.x Server is the version of the server used with App-V for Windows 10. +This section provides information about queries for viewing publishing metadata for App-V 5.0 SP3 Server and App-V 5.1 server. The App-V server components have not changed since App-V 5.0 was released, so App-V 5.x Server is the version of the server used with App-V for Windows client. **Query syntax** @@ -58,7 +58,7 @@ In this example: - A computer running Windows Server 2016 named “pubsvr01” hosts the Publishing service. -- The Windows client is Windows 10, 64-bit. +- The Windows client is 64-bit. **Query parameter descriptions** @@ -68,7 +68,7 @@ The following table describes the parameters shown in the preceding **Query synt |------------|---------------| | `` | Name of the App-V Publishing server. | | `` | Port to the App-V Publishing server, which you defined when you configured the Publishing server. | -| `ClientVersion=` | Windows 10 build number. You can obtain this number by running the following Windows PowerShell command:
`(Get-CimInstance Win32_OperatingSystem).version` | +| `ClientVersion=` | Windows client build number. You can obtain this number by running the following Windows PowerShell command:
`(Get-CimInstance Win32_OperatingSystem).version` | | `ClientOS=` | Operating system of the computer that is running the App-V client. Refer to the table that follows for the correct value.
You can omit this parameter, with the result that only the packages that were sequenced to support all operating systems will appear in the metadata. | To get the name of the Publishing server and the port number (`http://:`) from the App-V client, look at the URL configuration of the Get-AppvPublishingServer Windows PowerShell cmdlet. @@ -92,12 +92,12 @@ In your publishing metadata query, enter the string values that correspond to th - + - + diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index f30e8fa94f..43bc4bec68 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Learn about the different app types in Windows 10 | Microsoft Docs +title: Learn about the different app types in Windows 10/11 | Microsoft Docs ms.reviewer: manager: dougeby description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. @@ -15,9 +15,10 @@ ms.topic: article # Overview of apps on Windows client devices -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 ## Before you begin @@ -76,7 +77,7 @@ When your apps are ready, you can add or deploy these apps to your Windows devic - **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. - If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows 10 (and newer) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). + If you want to prevent users from downloading apps on organization owned devices, use an MDM provider, like Microsoft Intune. For example, you can create a policy that allows or prevents users from sideloading apps, only allow the private store, and more. For more information on the features you can restrict, see [Windows client device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10). For an overview of the different types of device policies you can create, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 0a72c19e87..9c4133cd25 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -17,7 +17,7 @@ To provide the best experience for consumers, Windows provides controls that giv By default, resource limits are imposed on applications. Foreground apps are given the most memory and execution time; background apps get less. Users are thus protected from poor foreground app performance and heavy battery drain. -Enterprise users want the same ability to enable or limit background activity. In Windows 10, version 1703 (also known as the Creators Update), enterprises can now configure settings via policy and provisioning that control background activity. +Enterprise users want the same ability to enable or limit background activity. Starting with Windows 10 version 1703, enterprises can now configure settings via policy and provisioning that control background activity. ## Background activity controls @@ -33,7 +33,7 @@ Here is the set of available controls for mobile devices:  ![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png) -Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). +Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows clients. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity). ## Enterprise background activity controls  @@ -62,4 +62,4 @@ The Universal Windows Platform ensures that consumers will have great battery li - [Run in the background indefinitely](/windows/uwp/launch-resume/run-in-the-background-indefinetly) - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) -[Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity) \ No newline at end of file +[Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity) diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md new file mode 100644 index 0000000000..33ade955c1 --- /dev/null +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -0,0 +1,15 @@ +--- +author: MandiOhlinger +ms.author: mandia +ms.date: 09/28/2021 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: w10 +ms.topic: include +--- + +**Applies to**: + +- Windows 10 +- Windows 11 diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 2305949341..8640d74fc3 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -1,5 +1,5 @@ --- -title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10) +title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/11) description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises. ms.reviewer: manager: dansimp @@ -15,37 +15,41 @@ ms.topic: article # Enable or block Windows Mixed Reality apps in enterprises -**Applies to** - -- Windows 10 +[!INCLUDE [Applies to Windows client versions](./includes/applies-to-windows-client-versions.md)] -[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update. +[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows client needs a new feature, it can request the feature package from Windows Update. Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable-windows-mixed-reality-in-wsus). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block-the-mixed-reality-portal). ## Enable Windows Mixed Reality in WSUS -1. [Check your version of Windows 10.](https://support.microsoft.com/help/13443/windows-which-operating-system) +1. [Check your version of Windows.](https://support.microsoft.com/help/13443/windows-which-operating-system) >[!NOTE] >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality. 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - 1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + 1. Download the FOD .cab file: - > [!NOTE] - > You must download the FOD .cab file that matches your operating system version. + - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab) + - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab) + - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab) + + > [!NOTE] + > You must download the FOD .cab file that matches your operating system version. 1. Use `Dism` to add Windows Mixed Reality FOD to the image. - ```powershell - Dism /Online /Add-Package /PackagePath:(path) - ``` + ```powershell + Dism /Online /Add-Package /PackagePath:(path) + ``` - > [!NOTE] - > You must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab** + > [!NOTE] + > You must rename the FOD .CAB file to : **Microsoft-Windows-Holographic-Desktop-FOD-Package\~31bf3856ad364e35\~amd64\~\~.cab** 1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**. diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md new file mode 100644 index 0000000000..7b908dc7a8 --- /dev/null +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -0,0 +1,108 @@ +--- +title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs +description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices. +ms.assetid: +manager: dougeby +ms.author: mandia +ms.reviewer: amanh +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +author: MandiOhlinger +ms.date: 09/15/2021 +ms.localizationpriority: medium +--- + +# Private app repository in Windows 11 + +**Applies to**: + +- Windows 11 + +Starting in Windows 11, administrators have new options to deploy apps to devices. The Microsoft Store will continue to allow users to install public and retail apps. + +The Company Portal app is the private app repository for organizations and enterprises. It supports more app types and scenarios. + +When the Company Portal app is installed, users open it, and see the apps your organization makes available. Users select an app, and install it. + +This article discusses the Company Portal app installation options, adding organization apps, and more. + +## Before you begin + +The Company Portal app is included with Microsoft Endpoint Manager (MEM). Endpoint Manager is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It help manages your devices, and manage apps on your devices. + +If you're not managing your devices using an MDM provider, the following resources may help you get started: + +- [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview) +- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) +- [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) + +## Prerequisites + +To use the Company Portal app: + +- Users must have a work account that's already set up. For more information, see [Manage users and groups in Microsoft 365](/microsoft-365/admin/add-users). +- Your organization must have an Intune subscription. For more information, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses). + +## Install the Company Portal app + +To install the Company Portal app, you have some options: + +- **Use Microsoft Endpoint Manager**: Endpoint Manager includes Microsoft Intune (cloud) and Configuration Manager (on-premises). With both services, you can add Microsoft Store apps, like the Company Portal app. Once added, you create an app policy that deploys and installs the Company Portal app to your devices. + + - This option is preferred, and is the most scalable, especially if you have many devices. When you create the app policy, the policy can be deployed to many users and many devices simultaneously. Admins can also use reporting to make sure the app is installed on organization-managed devices. + + - On co-managed devices, which are managed by Microsoft Intune + Configuration Manager together, the Company Portal app shows your Intune apps and your Configuration Manager apps. So, all apps are shown in one place. + + - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates. + + For more information, see: + + - [What is Microsoft Endpoint Manager](/mem/endpoint-manager-overview) + - [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) + - [What is co-management?](/mem/configmgr/comanage/overview) + - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal) + +- **Use Windows Autopilot**: Windows Autopilot automatically provisions devices, registers them in your Azure AD organization (tenant), and gets them ready for production. If you're purchasing new devices, then we recommend using Windows Autopilot to preconfigure the devices, and get them ready for use. + + - In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you add the Company Portal app from the Microsoft Store. Once it's added, the app can be included in your Windows Autopilot deployment. When the device turns on and is getting ready, the Company Portal app is also installed, before users sign in. + + - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates. + + For more information, see: + + - [What is Windows Autopilot](/mem/autopilot/windows-autopilot) + - [Add and assign the Company Portal app for Autopilot provisioned devices](/mem/intune/apps/store-apps-company-portal-autopilot) + +- **Use the Microsoft Store**: The Company Portal app is available in the Microsoft Store, and can be downloaded by your users. Users open the Microsoft Store app on their device, search for **Company Portal**, and install it. When it's installed, users might be prompted to sign in with their organization account (`user@contoso.com`). When the app opens, they see a list of approved organization apps that can be installed. + + - This option requires users to install the Company Portal app themselves. If you have many users, the recommended approach is to deploy the Company Portal app using Endpoint Manager or using Windows Autopilot. + + - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store, go to the **Library**, and check for updates. Within the Company Portal app, they can use the update feature to get app fixes and feature updates on the organization apps you added. + +## Customize the Company Portal app + +Many organizations customize the Company Portal app to include their specific information. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you can customize the Company Portal app. For example, you can add a brand logo, include support information, add self-service device actions, and more. + +For more information, see [Configure the Intune Company Portal app](/mem/intune/apps/company-portal-app). + +## Add your organization apps to the Company Portal app + +When you add an app in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), there's a **Show this as a featured app in the Company Portal** setting. Be sure you use this setting. + +On co-managed devices (Microsoft Intune + Configuration Manager together), your Configuration Manager apps can also be shown in the Company Portal app. For more information, see [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal). + +When the apps are shown, users can select and download the apps on their devices. You can add Microsoft Store apps, web apps, Microsoft 365 apps, LOB apps, Win32 apps, and sideload apps. For more information on adding apps to the Endpoint Manager admin center, see: + +- [Add Microsoft 365 apps using Intune](/mem/intune/apps/apps-add-office365) +- [Add web apps using Intune](/mem/intune/apps/web-app) +- [Add LOB apps using Intune](/mem/intune/apps/lob-apps-windows) +- [Win32 app management in Intune](/mem/intune/apps/apps-win32-app-management) +- [Create and deploy an application with Configuration Manager](/mem/configmgr/apps/get-started/create-and-deploy-an-application) + +If you use a third party or partner MDM provider, be sure to configure the settings that list your apps in the Company Portal app. + +## Windows Package Manager + +If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Endpoint Manager and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423). diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index 48795d6801..04aa767487 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -2,7 +2,7 @@ title: Get the provisioned apps on Windows client operating system | Microsoft Docs ms.reviewer: manager: dougeby -description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10. +description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,9 +15,10 @@ ms.topic: article # Provisioned apps installed with the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 7edd100ef0..645475d40c 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,6 +1,6 @@ --- title: Sideload LOB apps in Windows client OS | Microsoft Docs -description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10. When you sideload an app, you deploy a signed app package to a device. +description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D ms.reviewer: manager: dougeby @@ -10,15 +10,15 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 08/31/2021 ms.localizationpriority: medium --- # Sideload line of business (LOB) apps in Windows client devices -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 > [!NOTE] > Starting with Windows 10 2004, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration. @@ -56,9 +56,9 @@ Managed devices are typically owned by your organization. They're managed by Gro Unmanaged devices are devices that are not managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app. > [!IMPORTANT] -> To install an app on Windows 10 and later, you can: +> To install an app on Windows client, you can: > -> - [Install Windows 10 apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). +> - [Install Windows apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). > - Users can double-click any `.msix` or `.appx` package. ### User interface @@ -98,7 +98,7 @@ This step installs the app certificate to the local device. Installing the certi -OR- - You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package, see runtime instructions on [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). ## Step 3: Install the app diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 6ebea1ded8..d498c17fb4 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -2,7 +2,7 @@ title: Get the system apps on Windows client operating system | Microsoft Docs ms.reviewer: manager: dougeby -description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10. +description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,9 +15,10 @@ ms.topic: article # System apps installed with the Windows client OS -> Applies to: -> -> - Windows 10 +**Applies to**: + +- Windows 10 +- Windows 11 On all Windows devices, the OS automatically installs some apps. These apps are called system apps, and are typically installed in the `C:\Windows\` folder. On your Windows devices, you can use Windows PowerShell to see the system apps automatically installed. diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml index 6847361924..3655fed6e5 100644 --- a/windows/application-management/toc.yml +++ b/windows/application-management/toc.yml @@ -15,6 +15,8 @@ items: href: add-apps-and-features.md - name: Sideload apps href: sideload-apps-in-windows-10.md + - name: Private app repo on Windows 11 + href: private-app-repository-mdm-company-portal-windows-11.md - name: Remove background task resource restrictions href: enterprise-background-activity-controls.md - name: Enable or block Windows Mixed Reality apps in the enterprise @@ -199,7 +201,7 @@ items: items: - name: Using the App-V client management console href: app-v/appv-using-the-client-management-console.md - - name: Automatically clean-up unpublished packages on the App-V client + - name: Automatically clean up unpublished packages on the App-V client href: app-v/appv-auto-clean-unpublished-packages.md - name: Migrating items: diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 25ce17d38a..a3cff7c1bf 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -281,7 +281,7 @@ To find device identification strings using Device Manager ### Getting device identifiers using PnPUtil ```console -pnputil /enum-devices /deviceids +pnputil /enum-devices /ids ``` Here is an example of an output for a single device on a machine: diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 2dbb97d08c..0897f1666a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -428,6 +428,7 @@ ms.date: 10/08/2020 - [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) +- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1) - [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) - [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) - [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 49be680162..a4847a452f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1676,6 +1676,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### ADMX_LocationProviderAdm policies + +
+
+ ADMX_LocationProviderAdm/BlockUserFromShowingAccountDetailsOnSignin +
+
+ ### ADMX_Logon policies
@@ -6065,6 +6073,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### Feeds policies +
+
+ Feeds/FeedsEnabled +
+
+ ### FileExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md new file mode 100644 index 0000000000..c1280d5f04 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -0,0 +1,112 @@ +--- +title: Policy CSP - ADMX_LocationProviderAdm +description: Policy CSP - ADMX_LocationProviderAdm +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/20/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_LocationProviderAdm +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_LocationProviderAdm policies + +
+
+ ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1 +
+
+ + +
+ + +**ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1** + + +

Windows 10

Windows 10/11

64-bit

WindowsClient_10.0_x64

Windows 10

Windows 10/11

32-bit

WindowsClient_10.0_x86
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting turns off the Windows Location Provider feature for this computer. + +- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. + +- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off Windows Location Provider* +- GP name: *DisableWindowsLocationProvider_1* +- GP path: *Windows Components\Location and Sensors\Windows Location Provider* +- GP ADMX file name: *LocationProviderAdm.admx* + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index f35134f108..1ed67abd42 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_nca -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -57,28 +61,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -95,7 +105,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. +This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: @@ -112,12 +122,7 @@ Each string can be one of the following types: You must configure this setting to have complete NCA functionality. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -136,28 +141,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -174,15 +185,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. +This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -201,28 +207,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -239,7 +251,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. +This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel. @@ -248,12 +260,7 @@ Each entry consists of the text PING: followed by the IPv6 address of an IPsec t You must configure this setting to have complete NCA functionality. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -272,28 +279,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -310,17 +323,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. +This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -339,28 +347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -377,7 +391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. +This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. @@ -391,12 +405,7 @@ To restore the DirectAccess rules to the NRPT and resume normal DirectAccess fun If this setting is not configured, users do not have Connect or Disconnect options. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -415,28 +424,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -453,16 +468,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether NCA service runs in Passive Mode or not. +This policy setting specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -481,28 +491,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -519,19 +535,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. +This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. If this setting is not configured, the entry for DirectAccess connectivity appears. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -550,28 +561,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -588,17 +605,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. +This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -611,8 +623,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 4981561468..9aff94fad5 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_NCSI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -54,28 +58,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -92,15 +102,10 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. +This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -119,28 +124,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -157,15 +168,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. +This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -184,28 +190,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -222,15 +234,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. +This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -249,28 +256,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -287,15 +300,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. +This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -317,28 +325,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -355,15 +369,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. +This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -382,28 +391,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -420,15 +435,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. +This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -447,28 +457,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -485,15 +501,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. +This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -506,7 +517,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index f8c2d7401e..60cfff66e4 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Netlogon -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -138,28 +142,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -176,7 +186,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. +This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. @@ -191,12 +201,7 @@ To specify this behavior in the DC Locator DNS SRV records, click Enabled, and t If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -215,28 +220,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -253,7 +264,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. +This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. @@ -264,12 +275,7 @@ If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC add If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -290,28 +296,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -328,7 +340,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. +This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. @@ -337,12 +349,7 @@ If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -363,28 +370,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -401,7 +414,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. +This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. @@ -412,12 +425,7 @@ If you disable this policy setting, Net Logon will not allow the negotiation and If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -438,28 +446,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -476,7 +490,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. +This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. @@ -487,12 +501,7 @@ If you disable this policy setting, computers to which this setting is applied w If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -513,28 +522,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -551,7 +566,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. @@ -560,12 +575,7 @@ If you disable this policy setting, the DCs will not register site-specific DC L If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -586,28 +596,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -624,7 +640,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. +This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. @@ -636,12 +652,7 @@ If you enable or do not configure this policy setting, the DC location algorithm If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -662,28 +673,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -700,7 +717,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. +This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. @@ -711,12 +728,7 @@ If you disable this policy setting, the DCs will not attempt to verify any passw If you do not configure this policy setting, it is not applied to any DCs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -737,28 +749,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -775,7 +793,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. +This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. The default value for this setting is 10 minutes (10*60). @@ -789,12 +807,7 @@ If the value of this setting is less than the value specified in the NegativeCac > If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -815,28 +828,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -853,7 +872,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. +This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached. @@ -869,12 +888,7 @@ If the value for this setting is smaller than the value specified for the Initia If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -895,28 +909,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -933,7 +953,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. +This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. @@ -941,12 +961,7 @@ The default value for this setting is to not quit retrying (0). The maximum valu > If the value for this setting is too small, a client will stop trying to find a DC too soon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -967,28 +982,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1005,15 +1026,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1034,28 +1050,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1072,7 +1094,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the level of debug output for the Net Logon service. +This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. @@ -1083,12 +1105,7 @@ If you specify zero for this policy setting, the default behavior occurs as desc If you disable this policy setting or do not configure it, the default behavior occurs as described above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1109,28 +1126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1147,7 +1170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. +This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. @@ -1182,12 +1205,7 @@ If you disable this policy setting, DCs configured to perform dynamic registrati If you do not configure this policy setting, DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1208,28 +1226,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1246,7 +1270,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. +This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. @@ -1258,12 +1282,7 @@ To specify the Refresh Interval of the DC records, click Enabled, and then enter If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1284,28 +1303,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1322,7 +1347,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. +This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below. @@ -1334,12 +1359,7 @@ The default local configuration is enabled. A reboot is not required for changes to this setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1360,28 +1380,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1398,18 +1424,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). +This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1430,28 +1451,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1468,19 +1495,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. +This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1501,28 +1523,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1539,7 +1567,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. +This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. @@ -1550,12 +1578,7 @@ If you disable this policy setting, Force Rediscovery will be used by default fo If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1576,28 +1599,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1614,7 +1643,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. +This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. @@ -1623,12 +1652,7 @@ To specify the sites covered by the GC Locator DNS SRV records, click Enabled, a If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1649,28 +1673,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1687,7 +1717,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). +This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). > [!NOTE] > To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. @@ -1699,12 +1729,7 @@ If you enable this policy setting, this DC does not process incoming mailslot me If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1725,28 +1750,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1763,7 +1794,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. +This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. @@ -1772,12 +1803,7 @@ To specify the Priority in the DC Locator DNS SRV resource records, click Enable If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1798,28 +1824,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1836,7 +1868,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. +This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. @@ -1845,12 +1877,7 @@ To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1871,28 +1898,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1909,19 +1942,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. +This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. If you disable or do not configure this policy setting, the default behavior occurs as indicated above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1942,28 +1970,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1980,7 +2014,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -1989,12 +2023,7 @@ To specify the sites covered by the DC Locator application directory partition-s If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2015,28 +2044,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2053,7 +2088,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. +This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. @@ -2061,12 +2096,7 @@ The default value for this setting is 45 seconds. The maximum value for this set > If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2087,28 +2117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2125,7 +2161,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2139,12 +2175,7 @@ By default, the Netlogon share will grant shared read access to files on the sha If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2165,28 +2196,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2203,17 +2240,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2234,28 +2266,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2272,7 +2310,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). +This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. @@ -2286,12 +2324,7 @@ To specify this behavior, click Enabled and then enter a value. The range of val If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2312,28 +2345,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2350,7 +2389,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval at which Netlogon performs the following scavenging operations: +This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. @@ -2363,12 +2402,7 @@ None of these operations are critical. 15 minutes is optimal in all but extreme To enable the setting, click Enabled, and then specify the interval in seconds. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2389,28 +2423,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2427,7 +2467,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. +This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2436,12 +2476,7 @@ To specify the sites covered by the DC Locator DNS SRV records, click Enabled, a If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2462,28 +2497,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2500,7 +2541,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Active Directory site to which computers belong. +This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. @@ -2509,12 +2550,7 @@ To specify the site name for this setting, click Enabled, and then enter the sit If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2535,28 +2571,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2573,7 +2615,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. +This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -2587,12 +2629,7 @@ By default, the SYSVOL share will grant shared read access to files on the share If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2613,28 +2650,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2651,7 +2694,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. +This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. @@ -2662,12 +2705,7 @@ If you disable this policy setting, Try Next Closest Site DC Location will not b If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2688,28 +2726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2726,7 +2770,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. +This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. @@ -2735,12 +2779,7 @@ If you disable this policy setting, DCs will not register DC Locator DNS resourc If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2753,7 +2792,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 42d74dc6ad..e0e2c1610b 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_NetworkConnections -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -115,28 +119,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +163,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. +This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. @@ -171,12 +181,7 @@ The Install and Uninstall buttons appear in the properties dialog box for connec > Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,28 +200,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -233,7 +244,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. +This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. @@ -247,12 +258,7 @@ If you disable this setting or do not configure it, the Advanced Settings item i > Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -271,28 +277,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -309,7 +321,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can configure advanced TCP/IP settings. +This policy setting determines whether users can configure advanced TCP/IP settings. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. @@ -328,12 +340,7 @@ Changing this setting from Enabled to Not Configured does not enable the Advance > To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -352,28 +359,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -390,7 +403,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether administrators can enable and disable the components used by LAN connections. +This policy setting Determines whether administrators can enable and disable the components used by LAN connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. @@ -404,12 +417,7 @@ If you disable this setting or do not configure it, the Properties dialog box fo > Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -428,28 +436,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -466,7 +480,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete all user remote access connections. +This policy setting determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -486,12 +500,7 @@ When enabled, the "Prohibit deletion of remote access connections" setting takes > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -510,28 +519,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -548,7 +563,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete remote access connections. +This policy setting determines whether users can delete remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. @@ -566,12 +581,7 @@ When enabled, this setting takes precedence over the "Ability to delete all user > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -590,28 +600,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -628,7 +644,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. +This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. @@ -639,12 +655,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -663,28 +674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -701,19 +718,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether or not the "local access only" network icon will be shown. +This policy setting specifies whether or not the "local access only" network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -732,28 +744,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -770,26 +788,20 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. +This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. -By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. +By default, Network Connections group settings in Windows do not have the ability to prohibit the use of features from Administrators. -If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. +If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows behave the same for administrators. + +If you disable this setting or do not configure it, Windows settings that existed in Windows 2000 will not apply to administrators. -If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. -> [!NOTE] -> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -808,28 +820,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -846,7 +864,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. +This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. @@ -857,12 +875,7 @@ If you disable this policy setting, traffic between remote client computers runn If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -881,28 +894,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -919,19 +938,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. +This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. If you enable this policy setting, this condition will not be reported as an error to the user. If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -950,28 +964,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -988,7 +1008,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. +This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. This setting determines whether the Properties button for components of a LAN connection is enabled. @@ -1010,12 +1030,7 @@ The Local Area Connection Properties dialog box includes a list of the network c > Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1034,28 +1049,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1072,7 +1093,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can enable/disable LAN connections. +This policy setting determines whether users can enable/disable LAN connections. If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. @@ -1086,12 +1107,7 @@ If you do not configure this setting, only Administrators and Network Configurat > Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1110,28 +1126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1148,7 +1170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can change the properties of a LAN connection. +This policy setting determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. @@ -1164,12 +1186,7 @@ If you disable this setting or do not configure it, a Properties menu item appea > Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1188,28 +1205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1226,7 +1249,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. +This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. @@ -1240,12 +1263,7 @@ If you disable this setting or do not configure it, the Make New Connection icon > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1264,28 +1282,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1302,7 +1326,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. +This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. @@ -1318,12 +1342,7 @@ If you enable the "Windows Firewall: Protect all network connections" policy set If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1342,28 +1361,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1380,7 +1405,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. +This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1400,12 +1425,7 @@ If you do not configure this setting, only Administrators and Network Configurat > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1424,28 +1444,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1462,7 +1488,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. +This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. @@ -1474,7 +1500,7 @@ If you disable this setting or do not configure it, the Properties button is ena The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. -> [NOTE] +> [!NOTE] > Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. > > When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. @@ -1482,12 +1508,7 @@ The Networking tab of the Remote Access Connection Properties dialog box include > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1506,28 +1527,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1544,7 +1571,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can connect and disconnect remote access connections. +This policy setting determines whether users can connect and disconnect remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). @@ -1553,12 +1580,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1577,28 +1599,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1615,7 +1643,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of their private remote access connections. +This policy setting determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1633,12 +1661,7 @@ If you disable this setting or do not configure it, a Properties menu item appea > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1657,28 +1680,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1695,7 +1724,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename all-user remote access connections. +This policy setting determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1713,12 +1742,7 @@ When the "Ability to rename LAN connections or remote access connections availab This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1737,28 +1761,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1775,7 +1805,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether users can rename LAN or all user remote access connections. +This policy setting Determines whether users can rename LAN or all user remote access connections. If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. @@ -1791,12 +1821,7 @@ If this setting is not configured, only Administrators and Network Configuration > This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1815,28 +1840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1853,7 +1884,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename a LAN connection. +This policy setting determines whether nonadministrators can rename a LAN connection. If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. @@ -1867,12 +1898,7 @@ If you do not configure this setting, only Administrators and Network Configurat When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1891,28 +1917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1929,7 +1961,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can rename their private remote access connections. +This policy setting determines whether users can rename their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1943,12 +1975,7 @@ If you disable this setting or do not configure it, the Rename option is enabled > This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1967,28 +1994,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2005,13 +2038,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. +This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. -If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) +If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. @@ -2025,12 +2058,7 @@ Nonadministrators are already prohibited from configuring Internet Connection Sh Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2049,28 +2077,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2087,7 +2121,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view the status for an active connection. +This policy setting determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. @@ -2098,12 +2132,7 @@ If the "Enable Network Connections settings for Administrators" is disabled or n If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2122,28 +2151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2160,19 +2195,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether to require domain users to elevate when setting a network's location. +This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not configure this policy setting, domain users can set a network's location without elevating. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2185,6 +2215,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index fa64224da3..27a8bd6ae6 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_OfflineFiles -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -171,28 +175,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -209,7 +219,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -218,12 +228,7 @@ If you enable this setting, when you make a folder available offline, all folder If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -242,28 +247,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -280,7 +291,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -292,12 +303,7 @@ If you do not configure this policy setting, no files or folders are made availa > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -316,28 +322,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -354,7 +366,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -366,12 +378,7 @@ If you do not configure this policy setting, no files or folders are made availa > This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -390,28 +397,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -428,7 +441,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. +This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. @@ -437,12 +450,7 @@ You can also configure Background Sync for network shares that are in user selec If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -461,28 +469,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -499,7 +513,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. +This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. @@ -518,12 +532,7 @@ If you enable this setting and specify an auto-cached space limit greater than t This setting replaces the Default Cache Size setting used by pre-Windows Vista systems. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -542,28 +551,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -580,7 +595,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -602,12 +617,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -626,28 +636,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -664,7 +680,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -686,12 +702,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -710,28 +721,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -748,7 +765,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. +Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -766,12 +783,7 @@ If you do not configure this setting, disk space for automatically cached files > To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -790,28 +802,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -828,7 +846,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. +This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. If you enable this policy setting, Offline Files is enabled and users cannot disable it. @@ -840,12 +858,7 @@ If you do not configure this policy setting, Offline Files is enabled on Windows > Changes to this policy setting do not take effect until the affected computer is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -864,28 +877,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -902,7 +921,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are encrypted. +This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. @@ -917,12 +936,7 @@ If you do not configure this policy setting, encryption of the Offline Files cac This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this setting to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -941,28 +955,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -979,7 +999,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. +This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -997,12 +1017,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1021,28 +1036,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1059,7 +1080,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log. +This policy setting determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. @@ -1077,12 +1098,7 @@ To use this setting, in the "Enter" box, select the number corresponding to the > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1101,28 +1117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1139,19 +1161,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. +This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1170,28 +1187,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1208,7 +1231,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Lists types of files that cannot be used offline. +Lists types of files that cannot be used offline. This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline." @@ -1220,12 +1243,7 @@ To use this setting, type the file name extension in the "Extensions" box. To ty > To make changes to this setting effective, you must log off and log on again. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1244,28 +1262,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1282,7 +1306,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1304,12 +1328,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1328,28 +1347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1366,7 +1391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. +This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -1388,12 +1413,7 @@ This setting appears in the Computer Configuration and User Configuration folder Also, see the "Non-default server disconnect actions" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1412,28 +1432,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1450,7 +1476,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. +This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1462,12 +1488,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1486,28 +1507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1524,7 +1551,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder. +This policy setting disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. @@ -1536,12 +1563,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1560,28 +1582,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1598,7 +1626,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1610,12 +1638,7 @@ This setting appears in the Computer Configuration and User Configuration folder > This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1634,28 +1657,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1672,7 +1701,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. +This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. @@ -1684,12 +1713,7 @@ This setting appears in the Computer Configuration and User Configuration folder > This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1708,28 +1732,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1746,7 +1776,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. +This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1757,12 +1787,7 @@ If you disable or do not configure this policy setting, users can manually speci > - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1781,28 +1806,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1819,7 +1850,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline. +This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. @@ -1830,12 +1861,7 @@ If you disable or do not configure this policy setting, users can manually speci > - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1854,28 +1880,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1892,7 +1924,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -1907,12 +1939,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman > - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1931,28 +1958,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1969,7 +2002,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. @@ -1984,12 +2017,7 @@ If you do not configure this policy setting, the "Make Available Offline" comman > - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2008,28 +2036,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2046,7 +2080,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. +Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2064,12 +2098,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2088,28 +2117,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2126,7 +2161,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting. +Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. @@ -2144,12 +2179,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2168,28 +2198,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2206,7 +2242,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. +This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. @@ -2217,12 +2253,7 @@ If you enable this policy setting, transparent caching is enabled and configurab If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2241,28 +2272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2279,7 +2316,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline. +This policy setting makes subfolders available offline whenever their parent folder is made available offline. This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. @@ -2288,12 +2325,7 @@ If you enable this setting, when you make a folder available offline, all folder If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2312,28 +2344,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2350,7 +2388,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting deletes local copies of the user's offline files when the user logs off. +This policy setting deletes local copies of the user's offline files when the user logs off. This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. @@ -2360,12 +2398,7 @@ If you disable this setting or do not configure it, automatically and manually c > Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2384,28 +2417,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2422,19 +2461,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on economical application of administratively assigned Offline Files. +This policy setting allows you to turn on economical application of administratively assigned Offline Files. If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. If you disable this policy setting, all administratively assigned folders are synchronized at logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2453,28 +2487,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2491,7 +2531,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. +This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2503,12 +2543,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2527,28 +2562,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2565,7 +2606,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear. +This policy setting determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. @@ -2577,12 +2618,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2601,28 +2637,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2639,19 +2681,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. +This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2670,28 +2707,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2708,19 +2751,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed. +This policy setting determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2739,28 +2777,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2777,19 +2821,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. +This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2808,28 +2847,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2846,19 +2891,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed. +This policy setting determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2877,28 +2917,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2915,7 +2961,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. +This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. @@ -2932,12 +2978,7 @@ In Windows 8 or Windows Server 2012, set the Latency threshold to 1ms to keep us If you disable this policy setting, computers will not use the slow-link mode. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2956,28 +2997,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2994,7 +3041,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. +This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. @@ -3006,12 +3053,6 @@ If this setting is disabled or not configured, the default threshold value of 64 > Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -3030,28 +3071,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3068,7 +3115,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. +This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3084,12 +3131,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3108,28 +3150,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3146,7 +3194,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off. +This policy setting determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3162,12 +3210,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3186,28 +3229,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3224,7 +3273,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. +This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3240,12 +3289,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3266,28 +3310,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3304,7 +3354,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on. +This policy setting determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. @@ -3320,12 +3370,7 @@ This setting appears in the Computer Configuration and User Configuration folder > To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3344,28 +3389,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3382,7 +3433,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. +This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3392,12 +3443,7 @@ If you disable or do not configuring this setting, files are not synchronized wh > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3416,28 +3462,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3454,7 +3506,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended. +This policy setting determines whether offline files are synchronized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. @@ -3464,12 +3516,7 @@ If you disable or do not configuring this setting, files are not synchronized wh > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3488,28 +3535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3526,19 +3579,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. +This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3557,28 +3605,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3595,19 +3649,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3626,28 +3675,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -3664,19 +3719,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. +This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -3689,8 +3739,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 790bed78ed..e3e5caf8a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PeerToPeerCaching -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -59,28 +63,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -97,7 +107,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: +This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cache mode - Set BranchCache Hosted Cache mode @@ -115,12 +125,7 @@ Select one of the following: > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -139,28 +144,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -177,7 +188,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. @@ -193,12 +204,7 @@ Select one of the following: > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -217,28 +223,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -255,7 +267,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. +This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. @@ -277,12 +289,7 @@ Hosted cache clients must trust the server certificate that is issued to the hos > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -301,28 +308,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -339,7 +352,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. +This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. @@ -364,12 +377,7 @@ Select one of the following: - Disabled. With this selection, this policy is not applied to client computers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -388,28 +396,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -426,7 +440,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. +This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. @@ -447,12 +461,7 @@ In circumstances where this setting is enabled, you can also select and configur - Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -471,28 +480,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -509,7 +524,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. +This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. Policy configuration @@ -524,12 +539,7 @@ In circumstances where this policy setting is enabled, you can also select and c - Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -548,28 +558,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -586,7 +602,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. +This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. @@ -608,12 +624,7 @@ In circumstances where this setting is enabled, you can also select and configur > This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -632,28 +643,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -670,7 +687,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. +This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. @@ -689,12 +706,7 @@ In circumstances where this setting is enabled, you can also select and configur - Specify the age in days for which segments in the data cache are valid. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -713,28 +725,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -751,7 +769,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. +This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." @@ -773,12 +791,7 @@ Select from the following versions - Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -791,7 +804,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index cd77c701e3..c0586ccf19 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PerformanceDiagnostics -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Boot Performance Diagnostics. +This policy setting determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. @@ -98,12 +108,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -122,28 +127,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -160,7 +171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -175,12 +186,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -199,28 +205,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -237,7 +249,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. +This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. @@ -252,12 +264,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -276,28 +283,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -314,7 +327,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics. +Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. @@ -329,12 +342,7 @@ No system restart or service restart is required for this policy to take effect: This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -347,8 +355,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index 17087dd1d9..46c9adf221 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Power -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -108,28 +112,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -146,7 +156,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. +This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. @@ -155,12 +165,7 @@ If you disable this policy setting, network connectivity in standby is not guara If you do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -179,28 +184,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -217,19 +228,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. +This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -248,28 +254,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -286,7 +298,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. +This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: @@ -297,12 +309,7 @@ If you enable this policy setting, select one of the following actions: If you disable this policy or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -321,28 +328,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -359,19 +372,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. +This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -390,28 +398,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -428,19 +442,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. +This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -459,28 +468,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -497,19 +512,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. +This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -528,28 +538,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -566,19 +582,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. +This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -597,28 +608,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -635,19 +652,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. +This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -666,28 +678,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -704,7 +722,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. +This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. If you enable this policy setting, select one of the following actions: @@ -716,12 +734,7 @@ If you enable this policy setting, select one of the following actions: If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -740,28 +753,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -778,7 +797,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. +This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. If you enable this policy setting, select one of the following actions: @@ -790,12 +809,7 @@ If you enable this policy setting, select one of the following actions: If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -814,28 +828,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -852,7 +872,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. +This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. @@ -861,12 +881,7 @@ To set the action that is triggered, see the "Critical Battery Notification Acti If you disable this policy setting or do not configure it, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -885,28 +900,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -923,7 +944,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. +This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. @@ -934,12 +955,7 @@ The notification will only be shown if the "Low Battery Notification Action" pol If you disable or do not configure this policy setting, users can control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -958,28 +974,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -996,7 +1018,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. +This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. @@ -1005,12 +1027,7 @@ To set the action that is triggered, see the "Low Battery Notification Action" p If you disable this policy setting or do not configure it, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1029,28 +1046,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1067,7 +1090,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. +This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. @@ -1076,12 +1099,7 @@ If you disable this policy setting, network connectivity in standby is not guara If you do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1100,28 +1118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1138,19 +1162,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. +This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1169,28 +1188,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1207,7 +1232,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. +This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: @@ -1218,12 +1243,7 @@ If you enable this policy setting, select one of the following actions: If you disable this policy or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1242,28 +1262,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1280,19 +1306,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. +This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1311,28 +1332,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1349,19 +1376,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. +This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1380,28 +1402,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1418,7 +1446,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. +This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. @@ -1431,12 +1459,7 @@ If you enable this policy setting, the computer system safely shuts down and rem If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1455,28 +1478,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1493,7 +1522,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. +This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. @@ -1502,12 +1531,7 @@ If you disable this policy setting, the desktop background slideshow is disabled If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1526,28 +1550,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1564,7 +1594,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. +This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. @@ -1573,12 +1603,7 @@ If you disable this policy setting, the desktop background slideshow is disabled If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1597,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1635,19 +1666,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. +This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. If you enable this policy setting, specify a power plan from the Active Power Plan list. If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1666,28 +1692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1704,19 +1736,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. +This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1735,28 +1762,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1773,19 +1806,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling. +This policy setting allows you to turn off Power Throttling. If you enable this policy setting, Power Throttling will be turned off. If you disable or do not configure this policy setting, users control this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1804,28 +1832,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1842,19 +1876,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. +This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. If you disable or do not configure this policy setting, users can see and change this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1867,7 +1896,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index dff726a8e8..d2d7e0d5b4 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_PowerShellExecutionPolicy -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -84,7 +94,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging for Windows PowerShell modules. +This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. @@ -96,12 +106,7 @@ To add modules and snap-ins to the policy setting list, click Show, and then typ > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -120,28 +125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -159,7 +170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. +This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. @@ -171,12 +182,7 @@ If you disable this policy setting, no scripts are allowed to run. > This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,28 +201,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -234,7 +246,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. +This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. @@ -246,12 +258,7 @@ If you use the OutputDirectory setting to enable transcript logging to a shared > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -270,28 +277,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -309,7 +322,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. +This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. @@ -319,12 +332,7 @@ If this policy setting is disabled or not configured, this policy setting does n > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -337,7 +345,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 2376b4480e..fe3a0db756 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Printing -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -112,28 +116,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -150,7 +160,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. +Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. If you enable this policy setting, Internet printing is activated on this server. @@ -164,12 +174,7 @@ Internet printing is an extension of Internet Information Services (IIS). To use Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -188,28 +193,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -226,7 +237,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. +Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. @@ -240,12 +251,7 @@ If you disable this policy setting, then print drivers will be loaded within all > - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +270,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -302,7 +314,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. +By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. @@ -316,12 +328,7 @@ Also, see the "Activate Internet printing" setting in this setting folder and th Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -340,28 +347,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -378,7 +391,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage where client computers search for Point and Printer drivers. +This policy setting allows you to manage where client computers search for Point and Printer drivers. If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. @@ -386,15 +399,9 @@ If you disable this policy setting, the client computer will only search the loc This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. -By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -413,28 +420,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -451,7 +464,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) +If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) If this policy setting is disabled, the network scan page will not be displayed. @@ -472,12 +485,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -496,28 +504,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -534,7 +548,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Allows users to use the Add Printer Wizard to search the network for shared printers. +Allows users to use the Add Printer Wizard to search the network for shared printers. If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. @@ -544,12 +558,7 @@ If you disable this setting, the network printer browse page is removed from wit > This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -568,28 +577,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -606,7 +621,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. +When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. This policy setting only effects printing to a Windows print server. @@ -624,12 +639,7 @@ If you do not enable this policy setting, the behavior is the same as disabling > In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -648,28 +658,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -686,17 +702,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. +Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -715,28 +726,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -753,7 +770,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Adds a link to an Internet or intranet Web page to the Add Printer Wizard. +Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a Web page from which they can install printers. @@ -764,12 +781,7 @@ This setting makes it easy for users to find the printers you want them to add. Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -788,28 +800,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -826,24 +844,18 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. +Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. -If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. > [!NOTE] -> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. +> This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -862,28 +874,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -900,7 +918,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This preference allows you to change default printer management. +This preference allows you to change default printer management. If you enable this setting, Windows will not manage the default printer. @@ -909,12 +927,7 @@ If you disable this setting, Windows will manage the default printer. If you do not configure this setting, default printer management will not change. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -933,28 +946,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -971,19 +990,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. +Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1002,28 +1016,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1040,7 +1060,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it prevents users from deleting local and network printers. +If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. @@ -1049,12 +1069,7 @@ This setting does not prevent users from running other programs to delete a prin If this policy is disabled, or not configured, users can delete printers using the methods described above. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1073,28 +1088,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1111,7 +1132,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) +This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) If this setting is disabled, the network scan page will not be displayed. @@ -1129,12 +1150,7 @@ In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1153,28 +1169,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1191,19 +1213,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. +This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1222,28 +1239,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1260,19 +1283,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only. +This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1291,28 +1309,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1329,7 +1353,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. +Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. @@ -1340,12 +1364,7 @@ If this setting is enabled, users will only be able to package point and print t If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1364,28 +1383,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1402,7 +1427,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers. +Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. @@ -1413,12 +1438,7 @@ If this setting is enabled, users will only be able to package point and print t If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1437,28 +1457,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1475,7 +1501,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it specifies the default location criteria used when searching for printers. +If this policy setting is enabled, it specifies the default location criteria used when searching for printers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. @@ -1486,12 +1512,7 @@ Type the location of the user's computer. When users search for printers, the sy If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1510,28 +1531,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1548,7 +1575,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables the physical Location Tracking setting for Windows printers. +Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. @@ -1557,12 +1584,7 @@ If you enable this setting, users can browse for printers by location without kn If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1581,28 +1603,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1619,7 +1647,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. +This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. @@ -1631,12 +1659,7 @@ If you disable this policy setting, the print spooler will execute print drivers > - This policy setting takes effect without restarting the print spooler service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1655,28 +1678,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1693,7 +1722,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. +This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. @@ -1705,12 +1734,7 @@ If you disable or do not configure this policy setting, the print spooler uses t > - This policy setting takes effect without restarting the print spooler service. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1729,28 +1753,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1767,7 +1797,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the Active Directory location where searches for printers begin. +Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. @@ -1776,12 +1806,7 @@ If you enable this policy setting, these searches begin at the location you spec This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1800,28 +1825,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1838,7 +1869,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain. +Announces the presence of shared printers to print browse main servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. @@ -1852,12 +1883,7 @@ If you do not configure this setting, shared printers are announced to browse ma > A client license is used each time a client computer announces a printer to a print browse master on the domain. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1876,28 +1902,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1914,7 +1946,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print job name will be included in print event logs. +This policy controls whether the print job name will be included in print event logs. If you disable or do not configure this policy setting, the print job name will not be included. @@ -1924,12 +1956,7 @@ If you enable this policy setting, the print job name will be included in new lo > This setting does not apply to Branch Office Direct Printing jobs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1948,28 +1975,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1986,7 +2019,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy determines if v4 printer drivers are allowed to run printer extensions. +This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. @@ -1995,12 +2028,7 @@ If you enable this policy setting, then all printer extensions will not be allow If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2013,7 +2041,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 55aeef679a..be91226a5a 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Printing2 -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -60,28 +64,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -98,7 +108,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. +Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. @@ -110,12 +120,7 @@ The default behavior is to automatically publish shared printers in Active Direc > This setting is ignored if the "Allow printers to be published" setting is disabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -134,28 +139,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -172,7 +183,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. +Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. @@ -184,12 +195,7 @@ If you disable this setting, the domain controller does not prune this computer' > You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -208,28 +214,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -246,7 +258,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. +Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects. @@ -265,12 +277,7 @@ You can enable this setting to change the default behavior. To use this setting, > If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -289,28 +296,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -327,7 +340,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. +Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. @@ -341,12 +354,7 @@ If you do not configure or disable this setting the default values will be used. > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -365,28 +373,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -403,7 +417,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Sets the priority of the pruning thread. +Sets the priority of the pruning thread. The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current. @@ -415,12 +429,7 @@ By default, the pruning thread runs at normal priority. However, you can adjust > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -439,28 +448,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -477,7 +492,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. +Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. @@ -491,12 +506,7 @@ If you do not configure or disable this setting, the default values are used. > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -515,28 +525,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -553,7 +569,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. +Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. @@ -567,12 +583,7 @@ Note: This setting does not affect the logging of pruning events; the actual pru > This setting is used only on domain controllers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -591,28 +602,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -629,7 +646,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print spooler will accept client connections. +This policy controls whether the print spooler will accept client connections. When the policy is not configured or enabled, the spooler will always accept client connections. @@ -638,12 +655,7 @@ When the policy is disabled, the spooler will not accept client connections nor The spooler must be restarted for changes to this policy to take effect. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -662,28 +674,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -700,7 +718,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. +Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. @@ -709,12 +727,7 @@ To enable this additional verification, enable this setting, and then select a v To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -727,6 +740,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 269ccd44c0..d6dcf488e4 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Programs -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -54,28 +58,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -92,7 +102,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. +This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. @@ -103,12 +113,7 @@ This setting does not prevent users from using other tools and methods to change This setting does not prevent the Default Programs icon from appearing on the Start menu. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -127,28 +132,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -165,7 +176,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network. +Prevents users from viewing or installing published programs from the network. This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. @@ -179,12 +190,7 @@ If this setting is disabled or is not configured, the "Install a program from th > If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -203,28 +209,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -241,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. +This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. "Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. @@ -250,12 +262,7 @@ If this setting is disabled or not configured, the "View installed updates" task This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -274,28 +281,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -312,19 +325,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. +This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. If this setting is disabled or not configured, "Programs and Features" will be available to all users. This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -343,28 +351,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -381,7 +395,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. +This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. @@ -392,12 +406,7 @@ When enabled, this setting takes precedence over the other settings in this fold This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -416,28 +425,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -454,19 +469,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. +This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -485,28 +495,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -523,7 +539,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. +This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. @@ -535,12 +551,7 @@ If this feature is disabled or is not configured, the "Get new programs from Win > If the "Hide Programs control Panel" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -553,8 +564,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 917a3bcdc5..d7e4ecc5bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_Reliability -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +49,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. +This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. @@ -95,12 +105,7 @@ If you do not configure this policy setting, the Persistent System Timestamp is > This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -121,28 +126,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -159,7 +170,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. +This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. If you enable this policy setting, error reporting includes unplanned shutdown events. @@ -170,12 +181,7 @@ If you do not configure this policy setting, users can adjust this setting using Also see the "Configure Error Reporting" policy setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -234,7 +246,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. +This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. The system state data file contains information about the basic system state as well as the state of all running processes. @@ -244,16 +256,9 @@ If you disable this policy setting, the System State Data feature is never activ If you do not configure this policy setting, the default behavior for the System State Data feature occurs. -> [!NOTE] -> By default, the System State Data feature is always enabled on Windows Server 2003. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -274,28 +279,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -312,7 +323,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. +The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. @@ -328,12 +339,7 @@ If you do not configure this policy setting, the default behavior for the Shutdo > By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -346,8 +352,7 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 485d680915..a6af07f6c6 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_RemoteAssistance -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +43,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,7 +87,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. +This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. @@ -86,12 +96,7 @@ If you disable this policy setting, computers running this version and a previou If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -110,28 +115,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -148,7 +159,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to improve performance in low bandwidth scenarios. +This policy setting allows you to improve performance in low bandwidth scenarios. This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. @@ -173,12 +184,7 @@ If you disable this policy setting, application-based settings are used. If you do not configure this policy setting, application-based settings are used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -190,7 +196,6 @@ ADMX Info:
-> [!NOTE] -> These policies are for upcoming release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index b839eb3de7..da757e7ffe 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -13,8 +13,12 @@ manager: dansimp --- # Policy CSP - ADMX_RemovableStorage -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -129,28 +133,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -167,7 +177,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. @@ -177,12 +187,7 @@ If you disable or do not configure this setting, the operating system does not f > If no reboot is forced, the access right does not take effect until the operating system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -201,28 +206,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -239,7 +250,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. @@ -249,12 +260,7 @@ If you disable or do not configure this setting, the operating system does not f > If no reboot is forced, the access right does not take effect until the operating system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -273,28 +279,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -311,19 +323,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the CD and DVD removable storage class. +This policy setting denies execute access to the CD and DVD removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -342,28 +349,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -380,18 +393,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. +This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -410,28 +418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -448,19 +462,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class. +This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -479,28 +488,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -517,19 +532,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. +This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -548,28 +558,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -586,19 +602,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class. +This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -617,28 +628,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -655,19 +672,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. +This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -686,28 +698,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -724,19 +742,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes. +This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -755,28 +768,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -793,19 +812,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. +This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -823,28 +837,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -861,19 +881,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes. +This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -891,28 +906,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -929,19 +950,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -959,28 +975,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -997,19 +1019,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1027,28 +1044,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1065,19 +1088,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1095,28 +1113,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1133,18 +1157,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1162,28 +1181,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1200,19 +1225,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1230,28 +1250,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1268,18 +1294,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to removable disks. +This policy setting denies execute access to removable disks. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1297,28 +1318,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1335,19 +1362,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. +This policy setting denies read access to removable disks. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1365,28 +1387,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1403,18 +1431,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks. +This policy setting denies read access to removable disks. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1432,28 +1455,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1470,7 +1499,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks. +This policy setting denies write access to removable disks. If you enable this policy setting, write access is denied to this removable storage class. @@ -1480,12 +1509,7 @@ If you disable or do not configure this policy setting, write access is allowed > To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1503,28 +1527,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1541,7 +1571,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. +Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. @@ -1550,12 +1580,7 @@ If you enable this policy setting, no access is allowed to any removable storage If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1573,28 +1598,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1611,7 +1642,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes. +Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. @@ -1620,12 +1651,7 @@ If you enable this policy setting, no access is allowed to any removable storage If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1643,28 +1669,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1681,19 +1713,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting grants normal users direct access to removable storage devices in remote sessions. +This policy setting grants normal users direct access to removable storage devices in remote sessions. If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1711,28 +1738,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1749,19 +1782,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Tape Drive removable storage class. +This policy setting denies execute access to the Tape Drive removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1779,28 +1807,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1817,18 +1851,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. +This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1846,28 +1875,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1884,19 +1919,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class. +This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1914,28 +1944,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1952,18 +1988,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. +This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1981,28 +2012,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2019,19 +2056,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class. +This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2049,28 +2081,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2087,19 +2125,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2117,28 +2150,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2155,18 +2194,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2184,28 +2218,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2222,19 +2262,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2252,28 +2287,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2290,19 +2331,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2314,7 +2350,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 983dc1cc33..2843bc4633 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -78,23 +78,23 @@ manager: dansimp Home - check mark + ✔️ Pro - check mark + ✔️ Business - check mark + ✔️ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -147,23 +147,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - check mark + ✔️ Business - check mark + ✔️ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -216,23 +216,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - check mark + ✔️ Business - check mark + ✔️ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -285,23 +285,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - check mark + ✔️ Business - check mark + ✔️ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -356,23 +356,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - check mark + ✔️ Business - check mark + ✔️ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -424,23 +424,23 @@ Most restricted value: 0 Home - cross mark + ❌ Pro - cross mark + ❌ Business - check mark8 + ✔️8 Enterprise - check mark8 + ✔️8 Education - check mark8 + ✔️8 @@ -501,23 +501,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - cross mark + ❌ Business - cross mark + ❌ Enterprise - check mark1 + ✔️1 Education - check mark1 + ✔️1 @@ -567,23 +567,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - check mark5 + ✔️5 Business - check mark5 + ✔️5 Enterprise - check mark5 + ✔️5 Education - check mark5 + ✔️5 @@ -638,23 +638,23 @@ For this policy to work, the Windows apps need to declare in their manifest that Home - cross mark + ❌ Pro - check mark4 + ✔️4 Business - cross mark + ❌ Enterprise - check mark4 + ✔️4 Education - check mark4 + ✔️4 @@ -709,23 +709,23 @@ This setting supports a range of values between 0 and 1. Home - cross mark + ❌ Pro - check mark4 + ✔️4 Business - cross mark + ❌ Enterprise - check mark4 + ✔️4 Education - check mark4 + ✔️4 @@ -781,23 +781,23 @@ This setting supports a range of values between 0 and 1. Home - cross mark + ❌ Pro - cross mark + ❌ Business - cross mark + ❌ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -851,23 +851,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - check mark + ✔️ Business - check mark + ✔️ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -919,23 +919,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - check mark + ✔️ Business - check mark + ✔️ Enterprise - check mark + ✔️ Education - check mark + ✔️ @@ -987,23 +987,23 @@ The following list shows the supported values: Home - cross mark + ❌ Pro - cross mark + ❌ Business - cross mark + ❌ Enterprise - check mark5 + ✔️5 Education - check mark5 + ✔️5 diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index ff50ae9cb0..61abaceb22 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -37,9 +37,6 @@ manager: dansimp
Experience/AllowManualMDMUnenrollment
-
- Experience/AllowNewsAndInterestsOnTheTaskbar -
Experience/AllowSaveAsOfOfficeFiles
@@ -105,28 +102,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -184,28 +187,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -252,28 +261,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -314,28 +329,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -384,28 +405,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -442,65 +469,6 @@ The following list shows the supported values:
- - -**Experience/AllowNewsAndInterestsOnTheTaskbar** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
- - - -Specifies whether to allow "News and interests" on the Taskbar. - - - -The values for this policy are 1 and 0. This policy defaults to 1. - -- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. - -- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. - - - - -
Experience/AllowSaveAsOfOfficeFiles @@ -531,28 +499,34 @@ This policy is deprecated. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -589,28 +563,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -665,28 +645,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -735,28 +721,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -808,28 +800,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -880,28 +878,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -951,28 +955,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1021,28 +1031,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -1093,28 +1109,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1159,28 +1181,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markNoNo
Businesscheck markNoNo
Enterprisecheck markNoYes
Educationcheck markNoYes
@@ -1217,28 +1245,34 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -1286,28 +1320,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark9YesYes
Procheck mark9YesYes
Businesscheck mark9YesYes
Enterprisecheck mark9YesYes
Educationcheck mark9YesYes
@@ -1356,28 +1396,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -1426,28 +1472,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -1512,36 +1564,40 @@ _**Turn syncing off by default but don’t disable**_ -
- **Experience/PreventUsersFromTurningOnBrowserSyncing** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -1615,28 +1671,34 @@ Validation procedure: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md new file mode 100644 index 0000000000..0f683d9be9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -0,0 +1,103 @@ +--- +title: Policy CSP - Feeds +description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. +ms.author: v-nsatapathy +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.localizationpriority: medium +ms.date: 09/17/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - Feeds + + +
+ + +## Feeds policies + +
+
+ Feeds/FeedsEnabled +
+
+ + +
+ + +**Feeds/FeedsEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesNo
BusinessYesNo
EnterpriseYesNo
EducationYesNo
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting specifies whether news and interests is allowed on the device. + +The values for this policy are 1 and 0. This policy defaults to 1. + +- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. + +- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. + + + + +ADMX Info: +- GP Friendly name: *Enable news and interests on the taskbar* +- GP name: *FeedsEnabled* +- GP path: *Windows Components\News and interests* +- GP ADMX file name: *Feeds.admx* + + + + + + diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 8ef9349148..b6c1c6d85e 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 09/28/2021 ms.reviewer: manager: dansimp --- @@ -76,6 +76,9 @@ manager: dansimp Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. +> [!TIP] +> To get the list of available time zones, run `Get-TimeZone -ListAvailable` in PowerShell. + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 9d8ff38c27..22e27a3a21 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -480,7 +480,7 @@ items: - name: ADMX_Explorer href: policy-csp-admx-explorer.md - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md + href: policy-csp-admx-externalboot.md - name: ADMX_FileRecovery href: policy-csp-admx-filerecovery.md - name: ADMX_FileRevocation @@ -519,6 +519,8 @@ items: href: policy-csp-admx-leakdiagnostic.md - name: ADMX_LinkLayerTopologyDiscovery href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md - name: ADMX_Logon href: policy-csp-admx-logon.md - name: ADMX_MicrosoftDefenderAntivirus @@ -713,6 +715,8 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 1fed240483..87588a2a0e 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/30/2020 +ms.date: 09/21/2021 --- # VPNv2 CSP @@ -591,7 +591,7 @@ Valid values: - True = Register the connection's addresses in DNS. **VPNv2/**ProfileName**/DnsSuffix** -Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. +Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance. Value type is chr. Supported operations include Get, Add, Replace, and Delete. diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 90c2e725ed..7e2051d237 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -4,10 +4,18 @@ items: - name: Windows 11 items: - - name: Start menu layout - href: customize-start-menu-layout-windows-11.md - - name: Supported Start menu CSPs - href: supported-csp-start-menu-layout-windows.md + - name: Start menu + items: + - name: Customize Start menu layout + href: customize-start-menu-layout-windows-11.md + - name: Supported Start menu CSPs + href: supported-csp-start-menu-layout-windows.md + - name: Taskbar + items: + - name: Customize Taskbar + href: customize-taskbar-windows-11.md + - name: Supported Taskbar CSPs + href: supported-csp-taskbar-windows.md - name: Windows 10 Start and taskbar items: - name: Start layout and taskbar @@ -54,16 +62,14 @@ href: kiosk-methods.md - name: Prepare a device for kiosk configuration href: kiosk-prepare.md - - name: Set up digital signs on Windows 10 + - name: Set up digital signs href: setup-digital-signage.md - name: Set up a single-app kiosk href: kiosk-single-app.md - name: Set up a multi-app kiosk href: lock-down-windows-10-to-specific-apps.md - - name: Set up a shared or guest PC with Windows 10 + - name: Set up a shared or guest PC href: set-up-shared-or-guest-pc.md - - name: Set up a kiosk on Windows 10 Mobile - href: mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md - name: Kiosk reference information items: - name: More kiosk methods and reference information @@ -80,9 +86,9 @@ href: kiosk-xml.md - name: Use AppLocker to create a Windows 10 kiosk href: lock-down-windows-10-applocker.md - - name: Use Shell Launcher to create a Windows 10 kiosk + - name: Use Shell Launcher to create a Windows client kiosk href: kiosk-shelllauncher.md - - name: Use MDM Bridge WMI Provider to create a Windows 10 kiosk + - name: Use MDM Bridge WMI Provider to create a Windows client kiosk href: kiosk-mdm-bridge.md - name: Troubleshoot kiosk mode issues href: kiosk-troubleshoot.md @@ -90,9 +96,9 @@ - name: Use provisioning packages items: - - name: Provisioning packages for Windows 10 + - name: Provisioning packages for Windows client href: provisioning-packages/provisioning-packages.md - - name: How provisioning works in Windows 10 + - name: How provisioning works in Windows client href: provisioning-packages/provisioning-how-it-works.md - name: Introduction to configuration service providers (CSPs) href: provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -112,7 +118,7 @@ href: provisioning-packages/provisioning-script-to-install-app.md - name: Create a provisioning package with multivariant settings href: provisioning-packages/provisioning-multivariant.md - - name: PowerShell cmdlets for provisioning Windows 10 (reference) + - name: PowerShell cmdlets for provisioning Windows client (reference) href: provisioning-packages/provisioning-powershell.md - name: Windows Configuration Designer command-line interface (reference) href: provisioning-packages/provisioning-command-line.md diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index 90070e8930..f10b516b5c 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -1,6 +1,6 @@ --- title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs -description: Export Start layout to LayoutModification.json with pinned apps, add or remove pinned apps, and use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. +description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. ms.assetid: manager: dougeby ms.author: mandia @@ -10,7 +10,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: MandiOhlinger -ms.date: 09/14/2021 ms.localizationpriority: medium --- @@ -28,7 +27,7 @@ For example, you can override the default set of apps with your own a set of pin To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune MDM policy. +This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Endpoint Manager policy. ## Before you begin @@ -52,12 +51,29 @@ Start has the following areas: - **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default. - This article shows you how to use the **ConfigureStartPins** policy. + This article shows you [how to use the **ConfigureStartPins** policy](#get-the-pinnedlist-json). -- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. You can use the `Start/ShowOrHideMostUsedApps` CSP, which is a policy to configure the "Most used" section at the top of the all apps list. -- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. To prevent files from showing in this section, you can use the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists). This CSP also hides recent files that show from the taskbar. +- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. - You can use an MDM provider, like Microsoft Intune, to manage the [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) on your devices. For more information on the Start menu settings you can configure in a Microsoft Intune policy, see [Windows 10 (and later) device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-windows-10#start). + The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list. + + In **Endpoint Manager**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start). + + In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices: + + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar` + - `User Configuration\Administrative Templates\Start Menu and Taskbar` + +- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file. + + The [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar. + + In **Endpoint Manager**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start). + + In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices: + + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar` + - `User Configuration\Administrative Templates\Start Menu and Taskbar` ## Create the JSON file @@ -111,13 +127,13 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization. -MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list. +MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list. -This section shows you how to create a pinned list policy in Microsoft Intune. There isn't a Group Policy to create a pinned list. +This section shows you how to create a pinned list policy in Endpoint Manager. There isn't a Group Policy to create a pinned list. -### Create a pinned list using a Microsoft Intune policy +### Create a pinned list using an Endpoint Manager policy -To deploy this policy in Microsoft Intune, the devices must be enrolled in Microsoft Intune, and managed by your organization. For more information, see [What is device enrollment in Intune?](/mem/intune/enrollment/device-enrollment). +To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. @@ -157,13 +173,12 @@ To deploy this policy in Microsoft Intune, the devices must be enrolled in Micro :::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList"::: 8. Select **Save** > **Next** to save your changes. -9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure). +9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure). -The Windows OS has many CSPs that apply to the Start menu. Using an MDM provider, like Intune, you can use these CSPs to customize Start even more. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md). +The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md). -### Deploy the policy using Microsoft Intune +### Deploy the policy using Endpoint Manager -When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed before users sign in the first time. - -For more information on assigning policies using Microsoft Intune, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign). +When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time. +For more information and guidance on assigning policies to devices in your organization, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md new file mode 100644 index 0000000000..5cbfc1ef09 --- /dev/null +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -0,0 +1,246 @@ +--- +title: Configure and customize Windows 11 taskbar | Microsoft Docs +description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded. +ms.assetid: +manager: dougeby +ms.author: mandia +ms.reviewer: chataylo +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +author: MandiOhlinger +ms.localizationpriority: medium +--- + +# Customize the Taskbar on Windows 11 + +**Applies to**: + +- Windows 11 + +> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). + +Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps. + +For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar. + +To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs. + +This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. + +## Before you begin + +- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app). + +- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar. + +- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed. + +- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). + +- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. + + In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: + + - [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview) + - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) + - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) + +## Create the XML file + +1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins two apps to the taskbar - File Explorer and the Command Prompt: + + ```xml + + + + + + + + + + + + ``` + +2. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps: + + - ``: Select this option for UWP apps. Add the [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) of the UWP app. + - ``: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app. + + You can pin as many apps as you want. Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar. + + For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). + +3. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`: + + - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned. + - ``: Unpins the default apps. Only the apps you add are pinned. + + If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned. + +4. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region. + + In the following XML example, two regions are added: `US|UK` and `DE|FR`: + + ```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + + The taskbar applies when: + + - If the `` node has a country or region, then the apps are pinned on devices configured for that country or region. + - If the `` node doesn't have a region tag for the current region, then the first `` node with no region is applied. + +5. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices. + +## Use Group Policy or MDM to create and deploy a taskbar policy + +Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Endpoint Manager. + +This section shows you how to deploy the XML both ways. + +### Use Group Policy to deploy your XML file + +Use the following steps to add your XML file to a group policy, and apply the policy: + +1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies. +2. Go to one of the following policies: + + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` + +3. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled. + + Your policy looks like the following policy: + + :::image type="content" source="./images/customize-taskbar-windows-11/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices."::: + + The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices. + +4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes. + + For more information on using group policies, see [Implement Group Policy Objects](/learn/modules/implement-group-policy-objects/). + +### Create a Microsoft Endpoint Manager policy to deploy your XML file + +MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list. + +Use the following steps to create an Endpoint Manager policy that deploys your taskbar XML file: + +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +2. Select **Devices** > **Configuration profiles** > **Create profile**. + +3. Enter the following properties: + + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. + +4. In **Basics**, enter the following properties: + + - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**. + - **Description**: Enter a description for the profile. This setting is optional, and recommended. + +5. Select **Next**. + +6. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file. + +7. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure). + +8. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time. + + For more information and guidance on assigning policies using Microsoft Endpoint Manager, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). + +> [!NOTE] +> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. + +## Get the AUMID and Desktop app link path + +In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet: + +1. On an existing Windows 11 device, pin the app to the Start menu. +2. Create a folder to save an output file. For example, create the `C:\Layouts` folder. +3. Open the Windows PowerShell app, and run the following cmdlet: + + ```powershell + Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml" + ``` + +4. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file. + +## Pin order for all apps + +On a taskbar, the following apps are typically pinned: + +- Apps pinned by the user +- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Microsoft Store. +- Apps pinned by your organization, such as in an unattended Windows setup. + + In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). + +Apps are pinned in the following order: + +1. Windows default apps are pinned first. +2. User-pinned apps are pinned after the Windows default apps. +3. XML-pinned apps are pinned after the user-pinned apps. + +If the OS is configured to use a right-to-left language, then the taskbar order is reversed. + +## OS install and upgrade + +- On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar: + + - Apps you specifically add + - Any default apps you don't remove + + After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps. + +- On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior: + + - If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps. + - If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned. + - If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps. + - New apps in updated layout file are pinned after the user's pinned apps. + + After the layout is applied, users can pin more apps, change the order, and unpin apps. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 42b70e6248..8a44c817f3 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and tasbkar with provisioning packages (Windows 10) +title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10) description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC ms.reviewer: @@ -21,9 +21,11 @@ ms.localizationpriority: medium - Windows 10 - > **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +> [!NOTE] +> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 10. It's not supported on Windows 11. + In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. > [!IMPORTANT] @@ -136,5 +138,5 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - [Add image for secondary tiles](start-secondary-tiles.md) - [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) \ No newline at end of file +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index f5540c6ddd..6d4c284574 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -1,6 +1,6 @@ --- title: Find the Application User Model ID of an installed app -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. author: greg-lindsay diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index d24b76cd0c..5a019e0862 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,5 +1,5 @@ --- -title: Guidelines for choosing an app for assigned access (Windows 10) +title: Guidelines for choosing an app for assigned access (Windows 10/11) description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 @@ -9,8 +9,7 @@ author: greg-lindsay ms.localizationpriority: medium ms.author: greglin ms.topic: article -ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp --- @@ -19,7 +18,8 @@ manager: dansimp **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. @@ -45,9 +45,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) +Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. @@ -55,7 +55,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app >Kiosk Browser cannot access intranet websites. -**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). +**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11. 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 2. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps) @@ -162,7 +162,7 @@ Check the guidelines published by your selected app and set up accordingly. ## Develop your kiosk app -Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. +Assigned access in Windows client leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). diff --git a/windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png b/windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png new file mode 100644 index 0000000000..99252bd139 Binary files /dev/null and b/windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png differ diff --git a/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png b/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png new file mode 100644 index 0000000000..9baebd536f Binary files /dev/null and b/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png differ diff --git a/windows/configuration/images/kiosk-account.PNG b/windows/configuration/images/kiosk-account.PNG deleted file mode 100644 index f78f9b9d56..0000000000 Binary files a/windows/configuration/images/kiosk-account.PNG and /dev/null differ diff --git a/windows/configuration/images/kiosk-common.PNG b/windows/configuration/images/kiosk-common.PNG deleted file mode 100644 index f5873a53aa..0000000000 Binary files a/windows/configuration/images/kiosk-common.PNG and /dev/null differ diff --git a/windows/configuration/images/seven.png b/windows/configuration/images/seven.png deleted file mode 100644 index 285a92df0b..0000000000 Binary files a/windows/configuration/images/seven.png and /dev/null differ diff --git a/windows/configuration/images/six.png b/windows/configuration/images/six.png deleted file mode 100644 index e8906332ec..0000000000 Binary files a/windows/configuration/images/six.png and /dev/null differ diff --git a/windows/configuration/includes/multi-app-kiosk-support-windows11.md b/windows/configuration/includes/multi-app-kiosk-support-windows11.md new file mode 100644 index 0000000000..0213f9a5ac --- /dev/null +++ b/windows/configuration/includes/multi-app-kiosk-support-windows11.md @@ -0,0 +1,12 @@ +--- +author: MandiOhlinger +ms.author: mandia +ms.date: 09/21/2021 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: w10 +ms.topic: include +--- + +Currently, multi-app kiosk is only supported on Windows 10. It's not supported on Windows 11. \ No newline at end of file diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 67f49befe3..c772c6f064 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -1,8 +1,8 @@ --- -title: More kiosk methods and reference information (Windows 10) +title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] @@ -19,7 +19,8 @@ ms.topic: reference **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 ## In this section @@ -31,11 +32,8 @@ Topic | Description [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. -[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. -[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. -[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +[Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. +[Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. +[Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. - - - diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 73c8fdcc17..ec7e635617 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -1,8 +1,8 @@ --- -title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10) +title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] @@ -11,16 +11,16 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 11/07/2018 ms.topic: article --- -# Use MDM Bridge WMI Provider to create a Windows 10 kiosk +# Use MDM Bridge WMI Provider to create a Windows client kiosk **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 9efa2b652d..0c36aa0d52 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -1,9 +1,9 @@ --- -title: Configure kiosks and digital signs on Windows desktop editions (Windows 10) -ms.reviewer: +title: Configure kiosks and digital signs on Windows 10/11 desktop editions +ms.reviewer: sybruckm manager: dansimp ms.author: greglin -description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions. +description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -18,21 +18,29 @@ ms.topic: article >[!WARNING] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use: +**Applies to** -- **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. +- Windows 10 +- Windows 11 + +Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: + +- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. - A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. + A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lock screen. - ![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png) + ![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png) -- **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. +- **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. - A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. + > [!NOTE] + > [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] - ![Illustration of a kiosk Start screen.](images/kiosk-desktop.png) + A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. -Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + ![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png) + +Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. @@ -40,19 +48,19 @@ There are several kiosk configuration methods that you can choose from, dependin ![icon that represents apps.](images/office-logo.png) - Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) + Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) - **Which type of kiosk do you need?** ![icon that represents a kiosk.](images/kiosk.png) - If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). + If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). -- **Which edition of Windows 10 will the kiosk run?** +- **Which edition of Windows client will the kiosk run?** ![icon that represents Windows.](images/windows.png) - All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. + All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home. - **Which type of user account will be the kiosk account?** @@ -62,10 +70,8 @@ There are several kiosk configuration methods that you can choose from, dependin >[!IMPORTANT] ->Single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. - - - +>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + ## Methods for a single-app kiosk running a UWP app You can use this method | For this edition | For this kiosk account type @@ -100,15 +106,14 @@ You can use this method | For this edition | For this kiosk account type Method | App type | Account type | Single-app kiosk | Multi-app kiosk --- | --- | --- | :---: | :---: -[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X | -[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X | -[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | -[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X -Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X -[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | -[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X +[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️ | +[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ | +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | ✔️ +Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️ +[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | +[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | ✔️ >[!NOTE] ->For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. - +>For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 9f817f7581..a12e1a5b19 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -1,8 +1,8 @@ --- -title: Policies enforced on kiosk devices (Windows 10) +title: Policies enforced on kiosk devices (Windows 10/11) description: Learn about the policies enforced on a device when you configure it as a kiosk. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp keywords: ["lockdown", "app restrictions", "applocker"] ms.prod: w10 @@ -11,7 +11,6 @@ ms.sitesec: library ms.pagetype: edu, security author: greg-lindsay ms.localizationpriority: medium -ms.date: 07/30/2018 ms.author: greglin ms.topic: article --- @@ -21,7 +20,8 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index ba1aaa2b58..5eef3d900c 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -1,8 +1,8 @@ --- -title: Prepare a device for kiosk configuration (Windows 10) +title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] @@ -19,49 +19,206 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 -> [!WARNING] -> For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account. -> -> Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that might allow an attacker subverting the assigned access application to gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. -> [!IMPORTANT] -> [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. -> -> Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + +## Before you begin + +- [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. +- Kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that's set up as a kiosk. +- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account. + + Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account. + +- MDM providers, such as [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: + + - [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started) + - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) + - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) ## Configuration recommendations -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: -Recommendation | How to ---- | --- -Hide update notifications
(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:
**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. -Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`
-or-
Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`

**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.

To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. -Enable automatic restart at the scheduled time | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time** -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled** -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen) -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. +- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options: + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications` + + - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + + - **Use the registry**: + + 1. Open Registry Editor (regedit). + 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`. + 3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`. + 4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter: + + - `1`: Hides all notifications except restart warnings. + - `2`: Hides all notifications, including restart warnings. + +- **Enable and schedule automatic updates**. To enable this feature, you have the following options: + + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`. + - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + + You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available. + +- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options: + + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`. + + - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + +- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor: + + 1. Open Registry Editor (regedit). + 2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`. + 3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`. + +- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting. + + Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11. + + Your options: + + - Use the **Settings** app: + 1. Open the **Settings** app. + 2. Go to **System** > **Tablet mode**. + 3. Configure the settings you want. + + - Use the **Action Center**: + 1. On your device, swipe in from the left. + 2. Select **Tablet mode**. + +- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options: + + - **Use an MDM provider**: In Endpoint Manager, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature. + - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen). + +- **Disable the hardware power button**: To enable this feature, you have the following options: + + - **Use the Settings app**: + 1. Open the **Settings** app. + 2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**. + 3. Select **Do nothing**. + 4. **Save changes**. + + - **Use Group Policy**: Your options: + + - `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**. + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. + - `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy. + + To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group. + + - **Use an MDM provider**: In Endpoint Manager, you have some options: + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `Power\Select Power Button Action on Battery`: Set to **Take no action**. + - `Power\Select Power Button Action on Plugged In`: Set to **Take no action**. + - `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it. + + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting: + + - `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. + + When looking at settings, check the supported OS for each setting to make sure it applies. + + - [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage. + +- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options: + + - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**. + + - **Use MDM**: In Endpoint Manager, you have the following option: + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: + + - `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**. + +- **Disable the camera**: To enable this feature, you have the following options: + + - **Use the Settings app**: + 1. Open the **Settings** app. + 2. Go to **Privacy** > **Camera**. + 3. Select **Allow apps use my camera** > **Off**. + + - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**. + + - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Endpoint Manager, you have the following options: + + - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage. + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: + + - `Camera\Allow camera`: Set to **Not allowed**. + +- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options: + + - **Use the Settings app**: + + 1. Open the **Settings** app. + 2. Go to **System** > **Notifications & actions**. + 3. In **Show notifications on the lock screen**, select **Off**. + + - **Use Group policy**: + - `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. + + - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Endpoint Manager, you have the following options: + + - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage. + + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. + - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + + When looking at settings, check the supported OS for each setting to make sure it applies. + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. + - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + +- **Disable removable media**: To enable this feature, you have the following options: + + - **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation. + + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. + + - **Use an MDM provider**: In Endpoint Manager, you have the following options: + + - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage. + + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. + + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. + + When looking at settings, check the supported OS for each setting to make sure it applies. + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. + + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. ## Enable logging Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) +:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: ## Automatic logon -In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. +You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in. > [!NOTE] -> If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. +> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. > [!TIP] > If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. @@ -88,7 +245,7 @@ In addition to the settings in the table, you may want to set up **automatic log - *DefaultPassword*: set value as the password for the account. > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. @@ -104,150 +261,56 @@ In addition to the settings in the table, you may want to set up **automatic log The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. -> [!Note] -> Where applicable, the table notes which features are optional that you can configure for assigned access. +- **Accessibility**: Assigned access does not change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FeatureDescription

Accessibility

Assigned access does not change Ease of Access settings.

-

We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:

- ---- - - - - - - - - - - - - - - - - - - - - -
Key combinationBlocked behavior

Left Alt+Left Shift+Print Screen

Open High Contrast dialog box.

Left Alt+Left Shift+Num Lock

Open Mouse Keys dialog box.

Windows logo key+U

Open Ease of Access Center.

-

 

Assigned access Windows PowerShell cmdlets

In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference.

Key sequences blocked by assigned access

When in assigned access, some key combinations are blocked for assigned access users.

-

Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.

-

Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Key combinationBlocked behavior for assigned access users

Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Esc

Open the Start screen.

Ctrl+F4

Close the window.

Ctrl+Shift+Esc

Open Task Manager.

Ctrl+Tab

Switch windows within the application currently open.

LaunchApp1

Open the app that is assigned to this key.

LaunchApp2

Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.

LaunchMail

Open the default mail client.

Windows logo key

Open the Start screen.

-

 

-

Keyboard Filter settings apply to other standard accounts.

Key sequences blocked by Keyboard Filter

If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic.

-

Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education.

-

Power button

Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.

-

For more information on removing the power button or disabling the physical power button, see Custom Logon.

Unified Write Filter (UWF)

UWFsettings apply to all users, including those with assigned access.

-

For more information, see Unified Write Filter.

WEDL_AssignedAccess class

Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

-

If you need to use assigned access API, see WEDL_AssignedAccess.

Welcome Screen

Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.

-

For more information, see Custom Logon.

+ | Key combination | Blocked behavior | + | --- | --- | + | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. | + | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. | + | Windows logo key + U | Open Ease of Access Center. | +- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/) - +- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users. + + Alt + F4, Alt + Shift + Tab, Alt + Tab are not blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations. + + Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings). + + | Key combination | Blocked behavior for assigned access users | + | --- | --- | + | Alt + Esc | Cycle through items in the reverse order from which they were opened. | + | Ctrl + Alt + Esc | Cycle through items in the reverse order from which they were opened. | + | Ctrl + Esc | Open the Start screen. | + | Ctrl + F4 | Close the window. | + | Ctrl + Shift + Esc | Open Task Manager. | + | Ctrl + Tab | Switch windows within the application currently open. | + | LaunchApp1 | Open the app that is assigned to this key. | + | LaunchApp2 | Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator. | + | LaunchMail | Open the default mail client. | + | Windows logo key | Open the Start screen. | + + Keyboard Filter settings apply to other standard accounts. + +- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). + + [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education. + +- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it's in assigned access. + + For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). + +- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access. + + For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). + +- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead. + + If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess). + +- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. + + For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). ## Testing your kiosk in a virtual machine (VM) @@ -257,8 +320,8 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session. -![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png) +:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used."::: -To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. +To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog: -![Do not select the connect button, use "close X" in the top corner](images/vm-kiosk-connect.png) \ No newline at end of file +:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session."::: diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 73e724bd75..3b720d1bbe 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -1,8 +1,8 @@ --- -title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) +title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] @@ -14,13 +14,14 @@ ms.localizationpriority: medium ms.topic: article --- -# Use Shell Launcher to create a Windows 10 kiosk +# Use Shell Launcher to create a Windows client kiosk **Applies to** - Windows 10 Ent, Edu +- Windows 11 -Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update. +Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update. >[!NOTE] >Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. @@ -30,7 +31,7 @@ Using Shell Launcher, you can configure a device that runs an application as the >- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies >- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies -You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. +You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. ## Differences between Shell Launcher v1 and Shell Launcher v2 @@ -292,7 +293,7 @@ Value|Description These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI. -To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommeded to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) +To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) ``` xml diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 4a123b3408..3a71008734 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -1,8 +1,8 @@ --- -title: Set up a single-app kiosk (Windows 10) -description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +title: Set up a single-app kiosk on Windows 10/11 +description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] @@ -11,18 +11,18 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 01/09/2019 ms.topic: article --- -# Set up a single-app kiosk +# Set up a single-app kiosk on Windows 10/11 **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 -A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. +A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. ![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png) @@ -33,48 +33,69 @@ A single-app kiosk uses the Assigned Access feature to run a single app above th You have several options for configuring your single-app kiosk. -Method | Description ---- | --- -[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.

This method is supported on Windows 10 Pro, Enterprise, and Education. -[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education. -[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. -[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. +- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. + This option supports: ->[!TIP] ->You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + - Windows 10 Pro, Enterprise, and Education + - Windows 11 + +- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account. + + This option supports: + + - Windows 10 Pro, Enterprise, and Education + - Windows 11 + +- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings. + + This option supports: + + - Windows 10 Pro version 1709+, Enterprise, and Education + - Windows 11 + +- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration. + + This option supports: + + - Windows 10 Pro version 1709+, Enterprise, and Education + - Windows 11 + +> [!TIP] +> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). > ->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. - +> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. ## Set up a kiosk in local Settings ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro, Ent, Edu +>OS: +> - Windows 10 Pro, Ent, Edu +> - Windows 11 > ->Account type: Local standard user +>Account type: +> - Local standard user You can use **Settings** to quickly configure one or a few devices as a kiosk. -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. +When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. -- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. +- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything. -- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. +- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. -![Screenshot of automatic sign-in setting.](images/auto-signin.png) + ![Screenshot of automatic sign-in setting.](images/auto-signin.png) -### Instructions for Windows 10, version 1809 +### Windows 10 version 1809+ / Windows 11 -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time. +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings: -**To set up assigned access in PC settings** - -1. Go to **Start** > **Settings** > **Accounts** > **Other users**. +1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**. 2. Select **Set up a kiosk > Assigned access**, and then select **Get started**. @@ -94,15 +115,15 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. -### Instructions for Windows 10, version 1803 and earlier +### Windows 10 version 1803 and earlier -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) ![The Set up assigned access page in Settings.](images/kiosk-settings.png) **To set up assigned access in PC settings** -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. 2. Select **Set up assigned access**. @@ -110,26 +131,24 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi 4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account signs in. To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - - - - - - ## Set up a kiosk using Windows PowerShell ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro, Ent, Edu +>OS: +> - Windows 10 Pro, Ent, Edu +> - Windows 11 > ->Account type: Local standard user +>Account type: +> - Local standard user ![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) @@ -137,59 +156,49 @@ You can use any of the following PowerShell cmdlets to set up assigned access on Before you run the cmdlet: -1. Log in as administrator. +1. Sign in as administrator. 2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. -3. Log in as the Assigned Access user account. +3. Sign in as the Assigned Access user account. 4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. -5. Log out as the Assigned Access user account. -6. Log in as administrator. +5. Sign out as the Assigned Access user account. +6. Sign in as administrator. -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. +To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. -**Configure assigned access by AppUserModelID and user name** - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` -**Configure assigned access by AppUserModelID and user SID** - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` -**Configure assigned access by app name and user name** - -``` -Set-AssignedAccess -AppName -UserName -``` -**Configure assigned access by app name and user SID** - -``` -Set-AssignedAccess -AppName -UserSID -``` +- **Configure assigned access by AppUserModelID and user name**: `Set-AssignedAccess -AppUserModelId -UserName ` +- **Configure assigned access by AppUserModelID and user SID**: `Set-AssignedAccess -AppUserModelId -UserSID ` +- **Configure assigned access by app name and user name**: `Set-AssignedAccess -AppName -UserName ` +- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName -UserSID ` > [!NOTE] -> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. +> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once. [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md). [Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**). -To remove assigned access, using PowerShell, run the following cmdlet. +To remove assigned access, using PowerShell, run the following cmdlet: -``` +```powershell Clear-AssignedAccess ``` - ## Set up a kiosk using the kiosk wizard in Windows Configuration Designer ->App type: UWP or Windows desktop application +>App type: +> - UWP +> - Windows desktop application > ->OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types +>OS: +> - Windows 10 Pro version 1709+ for UWP only +> - Windows 10 Ent, Edu for UWP and Windows desktop applications +> - Windows 11 > ->Account type: Local standard user, Active Directory +>Account type: +> - Local standard user +> - Active Directory ![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) @@ -199,69 +208,136 @@ Clear-AssignedAccess When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. +[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings: -[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. +1. Enable device setup: + :::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software."::: + If you want to enable device setup, select **Set up device**, and configure the following settings: - - - - - - - - - -
step oneset up device

Enable device setup if you want to configure settings on this page.

If enabled:

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.

Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		device name, upgrade to enterprise, shared use, remove pre-installed software
step two set up network

Enable network setup if you want to configure settings on this page.

If enabled:

Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.		Enter network SSID and type
step three account management

Enable account management if you want to configure settings on this page.

If enabled:

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		join Active Directory, Azure AD, or create a local admin account
step four add applications

You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps

Warning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application. 		add an application
step five add certificates

To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.		add a certificate
step six Configure kiosk account and app

You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)

In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		The 'Configure kiosk common settings' button as displayed while provisioning a kiosk device in Windows Configuration Designer.
step seven configure kiosk common settings

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.		set tablet mode and configure welcome and shutdown and turn off timeout settings
The 'finish' button as displayed while provisioning a kiosk device in Windows Configuration Designer.

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		Protect your package
+ - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`. + - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades). + - **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default. + - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. +2. Set up the network: + + :::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: + + If you want to enable network setup, select **Set up network**, and configure the following settings: + + - **Set up network**: To enable wireless connectivity, select **On**. + - **Network SSID**: Enter the Service Set Identifier (SSID) of the network. + - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. + +3. Enable account management: + + :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account."::: + + If you want to enable account management, select **Account Management**, and configure the following settings: + + - **Manage organization/school accounts**: Choose how devices are enrolled. Your options: + - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain. + - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. + + If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. + + You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards. + + - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in. + +4. Add applications: + + :::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode."::: + + To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md). + + > [!WARNING] + > If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then: + > + > 1. In **Installer Path**, select any executable file. + > 2. When the **Cancel** button shows, select it. + > + > These steps let you complete the provisioning package without adding an application. + +5. Add certificates: + + :::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate."::: + + To add a certificate to the devices, select **Add certificates**, and configure the following settings: + + - **Certificate name**: Enter a name for the certificate. + - **Certificate path**: Browse and select the certificate you want to add. + +6. Configure the kiosk account, and the kiosk mode app: + + :::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device."::: + + To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings: + + - **Create a local standard user account to run the kiosk mode app**: Select **Yes** to create a local standard user account, and enter the **User name** and **Password**. This user account runs the app. If you select **No**, make sure you have an existing user account to run the kiosk app. + - **Auto sign-in**: Select **Yes** to automatically sign in the account when the device starts. **No** doesn't automatically sign in the account. If there are issues with auto sign-in after you apply the provisioning package, then check the Event Viewer logs for auto logon issues (`Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational`). + - **Configure the kiosk mode app**: Enter the **User name** of the account that will run the kiosk mode app. In **App type**, select the type of app to run. Your options: + - **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required. + - **Universal Windows app**: Enter the AUMID. + +7. Configure kiosk common settings: + + :::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings."::: + + To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings: + + - **Set tablet mode** + - **Customize user experience** + - **Configure power settings** + +8. Finish: + + :::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password."::: + + To complete the wizard, select **Finish**, and configure the following setting: + + - **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. >[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** +>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** >[!IMPORTANT] >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - [Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - - - - - - - ## Set up a kiosk or digital sign using Microsoft Intune or other MDM service ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro (version 1709), Ent, Edu +>OS: +> - Windows 10 Pro version 1709+, Ent, Edu +> - Windows 11 > ->Account type: Local standard user, Azure AD - - +>Account type: +> - Local standard user +> - Azure AD Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. >[!TIP] ->Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). +>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). -To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider. +To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider. ## Sign out of assigned access -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** +`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index e34bee8204..83bba68ec0 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -1,8 +1,8 @@ --- -title: Troubleshoot kiosk mode issues (Windows 10) +title: Troubleshoot kiosk mode issues (Windows 10/11) description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp keywords: ["lockdown", "app restrictions"] ms.prod: w10 @@ -20,12 +20,13 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 ## Single-app kiosk issues >[!TIP] ->We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#test-vm)), set up your kiosk account and configuration, and try to reproduce the problem. +>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem. ### Sign-in issues @@ -38,6 +39,9 @@ Check the Event Viewer logs for auto logon issues under **Applications and Servi ## Multi-app kiosk issues +> [!NOTE] +> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] + ### Unexpected results For example: diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index 13ba945753..a43d130016 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -1,8 +1,8 @@ --- -title: Validate kiosk configuration (Windows 10) -description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education. +title: Validate kiosk configuration (Windows 10/11) +description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] @@ -11,7 +11,6 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 07/30/2018 ms.topic: article --- @@ -20,7 +19,8 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 36dd8ce054..5ffdb783e5 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -1,8 +1,8 @@ --- -title: Assigned Access configuration kiosk XML reference (Windows 10) -description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10. +title: Assigned Access configuration kiosk XML reference (Windows 10/11) +description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp keywords: ["lockdown", "app restrictions", "applocker"] ms.prod: w10 @@ -11,7 +11,6 @@ ms.sitesec: library ms.pagetype: edu, security author: greg-lindsay ms.localizationpriority: medium -ms.date: 10/02/2018 ms.author: greglin ms.topic: article --- @@ -21,7 +20,8 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 ## Full XML sample @@ -255,9 +255,16 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## Global Profile Sample XML -Global Profile is currently supported in Windows 10, version 2004. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. -This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in +Global Profile is supported on: + +- Windows 10 version 2004+ +- Windows 11 + +Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. + +This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in. + ```xml [!NOTE] ->Updated for Windows 10, version 1903 and later. -Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. +>Updated for Windows 10, version 1903+. + +The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release: ```xml @@ -814,7 +822,8 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ``` -Here is the schema for new features introduced in Windows 10 1809 release +The following XML is the schema for new features introduced in Windows 10 1809 release: + ```xml ``` -Schema for Windows 10, version 1909 and later +The following XML is the schema for Windows 10 version 1909+: + ```xml ``` -To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the autolaunch feature that was added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. + +For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. + ```xml [!NOTE] +> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] + A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. The following table lists changes to multi-app kiosk in recent updates. -| New features and improvements | In update | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| - Configure [a single-app kiosk profile](#profile) in your XML file

- Assign [group accounts to a config profile](#config-for-group-accounts)

- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | +| New features and improvements | In update | +| --- | ---| +| - Configure [a single-app kiosk profile](#profile) in your XML file

- Assign [group accounts to a config profile](#config-for-group-accounts)

- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | | - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

- [Automatically launch an app](#allowedapps) when the user signs in

- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. | >[!WARNING] @@ -43,7 +45,10 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi ## Configure a kiosk in Microsoft Intune -To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows). +To configure a kiosk in Microsoft Intune, see: + +- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings) +- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows) @@ -59,7 +64,7 @@ Watch how to use a provisioning package to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). ### Prerequisites @@ -114,7 +119,7 @@ You can start your file by pasting the following XML (or any other examples in t There are two types of profiles that you can specify in the XML: - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode. +- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode. A lockdown profile section in the XML has the following entries: @@ -146,7 +151,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). @@ -189,7 +194,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula ##### FileExplorerNamespaceRestrictions -Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune. +Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune. The following example shows how to allow user access to the Downloads folder in the common file dialog box. @@ -231,7 +236,7 @@ FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerele After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. -The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md). +The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md). A few things to note here: @@ -269,7 +274,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, ``` >[!NOTE] ->If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. +>If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. ![What the Start screen looks like when the XML sample is applied.](images/sample-start.png) @@ -333,7 +338,7 @@ The following example shows how to specify an account to sign in automatically. ``` -In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". +Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". ```xml @@ -411,7 +416,7 @@ Group accounts are specified using ``. Nested groups are not supporte #### [Preview] Global Profile -Global profile is added in current Windows 10 Prerelease. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios. +Global profile is added in Windows 10. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios. Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user. @@ -538,7 +543,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). >[!TIP] ->In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage?view=win10-ps) with `-LogsDirectoryPath` to get logs for the operation. +>In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation. #### During initial setup, from a USB drive @@ -572,7 +577,6 @@ Provisioning packages can be applied to a device during the first-run experience ![add a package option.](images/package.png) - ### Use MDM to deploy the multi-app configuration Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 38d6791423..65eac1c2a8 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -1,8 +1,8 @@ --- -title: Configuration service providers for IT pros (Windows 10) +title: Configuration service providers for IT pros (Windows 10/11) description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp ms.prod: w10 ms.mktglfcycl: manage @@ -11,34 +11,28 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 --- # Configuration service providers for IT pros **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 11 -This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows 10 and Windows 10 Mobile in their organizations. CSPs expose device configuration settings in Windows 10. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference). - -> [!NOTE] -> The information provided here about CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. - - [See what's new for CSPs in Windows 10, version 1809.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809) +This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference). ## What is a CSP? In the client operating system, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only. -Starting with Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. On the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10. +On the Windows client platform, the management approach for desktop uses CSPs to configure and manage all devices running Windows client. Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile. -CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). -![how intune maps to csp.](../images/policytocsp.png) +:::image type="content" source="../images/policytocsp.png" alt-text="How intune maps to CSP"::: CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge. @@ -48,7 +42,7 @@ The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based ### The WMI-to-CSP Bridge -The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device. +The WMI-to-CSP Bridge is a component allowing configuration of Windows client CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device. [Learn how to use the WMI Bridge Provider with PowerShell.](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) @@ -56,9 +50,7 @@ The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs u Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices. -In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. - -Some of the articles in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). In the CSP topics, you can learn about all of the available configuration settings. +In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings. ### CSPs in Windows Configuration Designer @@ -66,9 +58,9 @@ You can use Windows Configuration Designer to create [provisioning packages](./p Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. -![how help content appears in icd.](../images/cspinicd.png) +:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in icd."::: -[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. +[Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. ### CSPs in MDM @@ -78,15 +70,15 @@ When a CSP is available but is not explicitly included in your MDM solution, you ### CSPs in Lockdown XML -Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](../mobile-devices/lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML. +Starting with Windows 10 version 1703, you can use the [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML. ## How do you use the CSP documentation? -All CSPs in Windows 10 are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). +All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). -The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP. +The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows, and links to the documentation for each individual CSP. -![csp per windows edition.](../images/csptable.png) +:::image type="content" source="../images/csptable.png" alt-text="The CSP reference shows the supported Windows editions"::: The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. @@ -94,7 +86,7 @@ The full path to a specific configuration setting is represented by its Open Mob The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied. -![assigned access csp tree.](../images/provisioning-csp-assignedaccess.png) +:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access csp tree."::: The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). @@ -104,7 +96,7 @@ The element in the tree diagram after the root node tells you the name of the CS When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example. -![placeholder in csp tree.](../images/csp-placeholder.png) +:::image type="content" source="../images/csp-placeholder.png" alt-text="The placeholder in the CSP tree"::: After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. @@ -114,26 +106,11 @@ The documentation for most CSPs will also include an XML example. ## CSP examples -CSPs provide access to a number of settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful. +CSPs provide access to many settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful. -- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp) - - The EnterpriseAssignedAccess CSP lets IT administrators configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app. - - In addition to lock screen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml that can be used to lock down the device through the following settings: - - - Enabling or disabling the Action Center. - - Configuring the number of tile columns in the Start layout. - - Restricting the apps that will be available on the device. - - Restricting the settings that the user can access. - - Restricting the hardware buttons that will be operable. - - Restricting access to the context menu. - - Enabling or disabling tile manipulation. - - Creating role-specific configurations. - - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) - The Policy CSP enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings. + The Policy CSP enables the enterprise to configure policies on Windows client. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings. Some of the settings available in the Policy CSP include the following: @@ -153,7 +130,7 @@ CSPs provide access to a number of settings useful to enterprises. This section - **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. - **WiFi**, such as whether Internet sharing is enabled. -Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both: +Here is a list of CSPs supported on Windows 10 Enterprise: - [ActiveSync CSP](/windows/client-management/mdm/activesync-csp) - [Application CSP](/windows/client-management/mdm/application-csp) @@ -211,4 +188,4 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Ent - [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) - [Wi-Fi CSP](/documentation/) - [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp) -- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp) \ No newline at end of file +- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp) diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index a67b88d02f..f4325299ce 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -1,8 +1,8 @@ --- -title: Provision PCs with common settings (Windows 10) +title: Provision PCs with common settings (Windows 10/11) description: Create a provisioning package to apply common settings to a PC running Windows 10. ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp keywords: ["runtime provisioning", "provisioning package"] ms.prod: w10 @@ -12,7 +12,6 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 --- # Provision PCs with common settings for initial deployment (desktop wizard) @@ -20,16 +19,17 @@ ms.date: 07/27/2017 **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. +This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home. You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. ## Advantages - You can configure new devices without reimaging. -- Works on both mobile and desktop devices. +- Works on desktop devices. - No network connectivity required. @@ -51,14 +51,14 @@ The desktop wizard helps you configure the following settings in a provisioning - Add applications and certificates >[!WARNING] ->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. +>You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. > ->![open advanced editor.](../images/icd-simple-edit.png) +> :::image type="content" source="../images/icd-simple-edit.png" alt-text="In the desktop wizard, open the advanced editor."::: ## Create the provisioning package @@ -68,26 +68,76 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 2. Click **Provision desktop devices**. - ![ICD start options.](../images/icd-create-options-1703.png) + :::image type="content" source="../images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options."::: 3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. - ![ICD desktop provisioning.](../images/icd-desktop-1703.png) + :::image type="content" source="../images/icd-desktop-1703.png" alt-text="In Windows Configuration Designer, select Finish, and see the ICD desktop provisioning."::: > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. ## Configure settings +1. Enable device setup: - - - - - - - -
step oneset up device

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.

Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.

You can also select to remove pre-installed software from the device. 		device name, upgrade to enterprise, shared use, remove pre-installed software
step two set up network

Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.		Enter network SSID and type
step three account management

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		join Active Directory, Azure AD, or create a local admin account
step four add applications

You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps. 		add an application
step five add certificates

To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.		add a certificate
The 'finish' button as displayed when provisioning a desktop device in Windows Configuration Designer.

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		Protect your package
+ :::image type="content" source="../images/set-up-device-details-desktop.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software."::: + + If you want to enable device setup, select **Set up device**, and configure the following settings: + + - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`. + - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades). + - **Configure devices for shared use**: Select **Yes** or **No** to optimize the Windows client for shared use scenarios. + - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. + +2. Set up the network: + + :::image type="content" source="../images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: + + If you want to enable network setup, select **Set up network**, and configure the following settings: + + - **Set up network**: To enable wireless connectivity, select **On**. + - **Network SSID**: Enter the Service Set IDentifier (SSID) of the network. + - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. + +3. Enable account management: + + :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account."::: + + If you want to enable account management, select **Account Management**, and configure the following settings: + + - **Manage organization/school accounts**: Choose how devices are enrolled. Your options: + - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain. + - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. + + If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. + + You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards. + + - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in. + +4. Add applications: + + :::image type="content" source="../images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application."::: + + To add applications to the devices, select **Add applications**. You can install multiple applications, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). + +5. Add certificates: + + :::image type="content" source="../images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate."::: + + To add a certificate to the devices, select **Add certificates**, and configure the following settings: + + - **Certificate name**: Enter a name for the certificate. + - **Certificate path**: Browse and select the certificate you want to add. + +6. Finish: + + :::image type="content" source="../images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password."::: + + To complete the wizard, select **Finish**, and configure the following setting: + + - **Protect your package**: Select **Yes** or **No** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. @@ -98,19 +148,17 @@ After you're done, click **Create**. It only takes a few seconds. When the packa - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics +## Related articles -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md) - [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index f6f7f9876b..182d0e0207 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -1,5 +1,5 @@ --- -title: Provision PCs with apps (Windows 10) +title: Provision PCs with apps (Windows 10/11) description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. keywords: ["runtime provisioning", "provisioning package"] ms.prod: w10 @@ -9,8 +9,7 @@ author: greg-lindsay ms.localizationpriority: medium ms.author: greglin ms.topic: article -ms.date: 09/06/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- @@ -20,9 +19,10 @@ manager: dansimp **Applies to** - Windows 10 +- Windows 11 -In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. +You can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This article explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). @@ -33,7 +33,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app. -- **Package family name**: Specify the package family name if you don’t specify a license. This field will be auto-populated after you specify a license. +- **Package family name**: Specify the package family name if you don’t specify a license. This field will be autopopulated after you specify a license. - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app @@ -44,25 +44,25 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate > [!NOTE] > You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options). -- **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE +- **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE -- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install +- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install -- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app +- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app -- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). +- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). ### Exe or other installer -- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append additional flags +- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append more flags - **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. -- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install +- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install -- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app +- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app -- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). +- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). @@ -72,7 +72,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. -2. Enter a name for the first app, and then click **Add**. +2. Enter a name for the first app, and then select **Add**. ![enter name for first app.](../images/wcd-app-name.png) @@ -90,9 +90,9 @@ Universal apps that you can distribute in the provisioning package can be line-o ![details for offline app package.](../images/uwp-family.png) -3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). +3. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). -4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. +4. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. ![required frameworks for offline app package.](../images/uwp-dependencies.png) @@ -102,11 +102,11 @@ Universal apps that you can distribute in the provisioning package can be line-o ![generate license for offline app.](../images/uwp-license.png) - - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. + - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**. -6. In the **Available customizations** pane, click the **LicenseProductId** that you just added. +6. In the **Available customizations** pane, select the **LicenseProductId** that you just added. -7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file. +7. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file. [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps) @@ -119,7 +119,7 @@ Universal apps that you can distribute in the provisioning package can be line-o 1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. -2. Enter a **CertificateName** and then click **Add**. +2. Enter a **CertificateName** and then select **Add**. 2. Enter the **CertificatePassword**. @@ -136,12 +136,13 @@ For details about the settings you can customize in provisioning packages, see [ ## Build your package -1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. +1. When you are done configuring the provisioning package, on the **File** menu, select **Save**. -2. Read the warning that project files may contain sensitive information, and click **OK**. - > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +2. Read the warning that project files may contain sensitive information, and select **OK**. -3. On the **Export** menu, click **Provisioning package**. + When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location, and delete the project files when they're no longer needed. + +3. On the **Export** menu, select **Provisioning package**. 4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** @@ -154,25 +155,25 @@ For details about the settings you can customize in provisioning packages, see [ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select...** and choosing the certificate you want to use to sign the package. - **Important** - We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. + > [!TIP] + > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store. Any package signed with that certificate can be applied silently. -7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

- Optionally, you can click **Browse** to change the default output location. +7. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

+ Optionally, you can select **Browse** to change the default output location. -8. Click **Next**. +8. Select **Next**. -9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. +9. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

+ If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. 10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + - If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**. 11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: @@ -184,33 +185,25 @@ For details about the settings you can customize in provisioning packages, see [ - Email - - USB tether (mobile only) - - - NFC (mobile only) - - - **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) ## Learn more - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) -## Related topics +## Related articles -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md) - [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 4a9381ab1c..44ef49c0ab 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -1,5 +1,5 @@ --- -title: Apply a provisioning package (Windows 10) +title: Apply a provisioning package (Windows 10/11) description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime"). ms.prod: w10 ms.mktglfcycl: deploy @@ -8,8 +8,7 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 08/22/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- @@ -19,19 +18,16 @@ manager: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). +Provisioning packages can be applied to client devices during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). >[!NOTE] ->Applying a provisioning package to a desktop device requires administrator privileges on the device. +> +> - Applying a provisioning package to a desktop device requires administrator privileges on the device. +> - You can interrupt a long-running provisioning process by pressing ESC. -## Desktop editions - ->[!NOTE] ->In Windows 10, version 1709, you can interrupt a long-running provisioning process by pressing ESC. - -### During initial setup, from a USB drive +## During initial setup, from a USB drive 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. @@ -41,66 +37,33 @@ Provisioning packages can be applied to a device during the first-run experience ![Set up device?](../images/setupmsg.jpg) -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. +3. The next screen asks you to select a provisioning source. Select **Removable Media** and select **Next**. ![Provision this device.](../images/prov.jpg) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. + +4. Select the provisioning package (`.ppkg`) that you want to apply, and select **Next**. ![Choose a package.](../images/choose-package.png) 5. Select **Yes, add it**. ![Do you trust this package?](../images/trust-package.png) - - -### After setup, from a USB drive, network folder, or SharePoint site +## After setup, from a USB drive, network folder, or SharePoint site Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. ![add a package option.](../images/package.png) - -## Mobile editions -### Using removable media +## Related articles -1. Insert an SD card containing the provisioning package into the device. -2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - - ![add a package option.](../images/packages-mobile.png) - -3. Click **Add**. - -4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - - ![Is this package from a source you trust.](../images/package-trust.png) - -### Copying the provisioning package to the device - -1. Connect the device to your PC through USB. - -2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device. - -3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - - ![Is this package from a source you trust.](../images/package-trust.png) - - - - - - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index d4debef680..308f6bad92 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -1,6 +1,6 @@ --- -title: Windows Configuration Designer command-line interface (Windows 10) -description: +title: Windows Configuration Designer command-line interface (Windows 10/11) +description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,8 +8,7 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- @@ -19,11 +18,11 @@ manager: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages. -- IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. +- IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. - You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). @@ -31,7 +30,7 @@ You can use the Windows Configuration Designer command-line interface (CLI) to a ## Syntax -``` +``` cmd icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: [/StoreFile:] [/MSPackageRoot:] [/OEMInputXML:] [/ProductName:] [/Variables::] [[+|-]Encrypted] [[+|-]Overwrite] [/?] @@ -45,28 +44,20 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: | /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. | | /StoreFile | No


See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.


**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | | /Variables | No | Specifies a semicolon separated `` and `` macro pair. The format for the argument must be `=`. | -| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer auto-generates the decryption password and includes this information in the output.


Precede with + for encryption or - for no encryption. The default is no encryption. | +| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output.


Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. | | Overwrite | No | Denotes whether to overwrite an existing provisioning package.


Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | +## Related articles - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) -  - - - - - +  \ No newline at end of file diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 0aa10c16b5..5086aae14b 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -1,6 +1,6 @@ --- -title: Create a provisioning package (Windows 10) -description: Learn how to create a provisioning package for Windows 10, which lets you quickly configure a device without having to install a new image. +title: Create a provisioning package (Windows 10/11) +description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,20 +8,19 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- -# Create a provisioning package for Windows 10 +# Create a provisioning package **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -You can use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings, and then apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. +You can use Windows Configuration Designer to create a provisioning package (`.ppkg`) that contains customization settings, and then apply the provisioning package to a device running Windows client. >[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) @@ -30,26 +29,20 @@ You can use Windows Configuration Designer to create a provisioning package (.pp ## Start a new project -1. Open Windows Configuration Designer: - - From either the Start screen or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. - - or - - - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then select **ICD.exe**. +1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: ![Configuration Designer wizards.](../images/icd-create-options-1703.png) - - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: + - The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices: - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub) - - Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards). + + Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards). - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.) @@ -63,47 +56,55 @@ You can use Windows Configuration Designer to create a provisioning package (.pp 4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options. - | Windows edition | Settings available for customization | Provisioning package can apply to | - |-----------------------------------|-----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------| - | All Windows editions | Common settings | All Windows 10 devices | - | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) | - | All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices | - | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices | - | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](/hololens/hololens-provisioning) | - | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](/surface-hub/provisioning-packages-for-surface-hub) | + | Windows edition | Settings available for customization | Provisioning package can apply to | + |---|---|---| + | All Windows editions | Common settings | All Windows client devices | + | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows client desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) | + | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices | + | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](/hololens/hololens-provisioning) | + | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](/surface-hub/provisioning-packages-for-surface-hub) | 5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**. ->[!TIP] ->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages that you create so you don't have to reconfigure those common settings repeatedly. + >[!TIP] + >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that includes the settings for your organization's network. Then, import that package into other packages that you create so you don't have to reconfigure those common settings repeatedly. 6. In the **Available customizations** pane, you can now configure settings for the package. - - - ## Configure settings For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. ![What the ICD interface looks like.](../images/icd-runtime.png) -The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). +The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). The process for configuring settings is similar for all settings. The following table shows an example. - - - - - - -
step one
Expand a category.		Expand Certificates category
step two
Select a setting.		Select ClientCertificates
step three
Enter a value for the setting. Select Add if the button is displayed.		Enter a name for the certificate
step four
Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed.		Additional settings for client certificate
step five
When the setting is configured, it is displayed in the Selected customizations pane.		Selected customizations pane
+1. Expand a category: -For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. + :::image type="content" source="../images/icd-step1.png" alt-text="In Windows Configuration Designer, expand the Certificates category."::: -![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) +2. Select a setting: + + :::image type="content" source="../images/icd-step2.png" alt-text="In Windows Configuration Designer, select ClientCertificates."::: + +3. Enter a value for the setting. Select **Add** if the button is displayed: + + :::image type="content" source="../images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate."::: + +4. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed: + + :::image type="content" source="../images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available."::: + +5. When the setting is configured, it is displayed in the **Selected customizations** pane: + + :::image type="content" source="../images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings."::: + +For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference article for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. + +![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) ## Build package @@ -120,7 +121,7 @@ For details on each specific setting, see [Windows Provisioning settings referen 3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional: - - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen. + - **Encrypt package** - If you select this option, an autogenerated password will be shown on the screen. - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package. >[!NOTE] @@ -148,19 +149,17 @@ For details on each specific setting, see [Windows Provisioning settings referen - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - - [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) -## Related topics +## Related articles -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 71b38c30f7..3d1a473ae6 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -1,6 +1,6 @@ --- -title: How provisioning works in Windows -description: A provisioning package (.ppkg) is a container for a collection of configuration settings. +title: How provisioning works in Windows 10/11 +description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,8 +8,7 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 09/03/2021 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- @@ -21,11 +20,11 @@ manager: dansimp - Windows 10 - Windows 11 -Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 and 11 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store. +Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store. ## Provisioning packages -A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device. +A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or downloaded to the device. To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source. @@ -69,7 +68,7 @@ When the provisioning engine selects a configuration, the Windows provisioning X ## Provisioning engine -The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10 or 11. +The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10/11. The provisioning engine provides the following functionality: @@ -82,7 +81,7 @@ The provisioning engine provides the following functionality: ## Configuration manager -The configuration manager provides the unified way of managing Windows 10 and 11 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. +The configuration manager provides the unified way of managing Windows 10/11 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. @@ -110,14 +109,6 @@ When a trigger occurs, provisioning is initiated for a particular provisioning s - **Update**: Runs after an update to apply potential updated settings changes. - **User**: runs during a user account first run to configure per-user settings. - - - - - - - - ## Device provisioning during OOBE The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. @@ -129,8 +120,8 @@ The following table shows how device provisioning can be initiated when a user f | Package delivery | Initiation method | Supported device | | --- | --- | --- | -| Removable media - USB drive or SD card
(Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices | -| From an administrator device through machine-to-machine NFC or NFC tag
(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows IoT Core devices | +| Removable media - USB drive or SD card
(Packages must be placed at media root) | Five fast taps on the Windows key to launch the provisioning UI |All Windows devices | +| From an administrator device through machine-to-machine NFC or NFC tag
(The administrator device must run an app that can transfer the package over NFC) | Five fast taps on the Windows key to launch the provisioning UI | Windows IoT Core devices | The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. @@ -143,8 +134,8 @@ At device runtime, stand-alone provisioning packages can be applied by user init | Package delivery | Initiation method | Supported device | | --- | --- | --- | | Removable media - USB drive or SD card
(Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices | -| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices | -| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows IoT Core devices | +| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows client for desktop editions devices | +| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows IoT Core devices | When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device. @@ -157,25 +148,16 @@ After a stand-alone provisioning package is applied to the device, the package i - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - +## Related articles -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) +- [Provisioning packages for Windows client](provisioning-packages.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - -  - -  diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 1a467d4e6d..2185e1123a 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,6 +1,6 @@ --- -title: Install Windows Configuration Designer (Windows 10) -description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10. +title: Install Windows Configuration Designer (Windows 10/11) +description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,30 +8,35 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 10/16/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- -# Install Windows Configuration Designer +# Install Windows Configuration Designer, and learn about any limitations **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 11 -Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. +Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. ## Supported platforms -Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: +Windows Configuration Designer can create provisioning packages for Windows client desktop, including Windows IoT Core, Microsoft Surface Hub, and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: +**Client OS**: + +- Windows 11 - Windows 10 - x86 and amd64 - Windows 8.1 Update - x86 and amd64 - Windows 8.1 - x86 and amd64 - Windows 8 - x86 and amd64 - Windows 7 - x86 and amd64 + +**Server OS**: + - Windows Server 2016 - Windows Server 2012 R2 Update - Windows Server 2012 R2 @@ -39,54 +44,38 @@ Windows Configuration Designer can create provisioning packages for Windows 10 d - Windows Server 2008 R2 >[!WARNING] ->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. +>You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards. ## Install Windows Configuration Designer -On devices running Windows 10, you can install [the Windows Configuration Designer app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems or in languages other than English, install it from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). - ->[!NOTE] ->If you install Windows Configuration Designer from both the ADK and Microsoft Store, the Store app will not open. -> ->The Windows Configuration Designer App from Microsoft Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK. - -1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511, 1607, or 1703). - - >[!NOTE] - >The rest of this procedure uses Windows ADK for Windows 10, version 1703 as an example. - -2. Save **adksetup.exe** and then run it. - -3. On the **Specify Location** page, select an installation path and then click **Next**. - >[!NOTE] - >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB. -4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**. - -5. Accept the **License Agreement**, and then click **Next**. - -6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. - - ![Only Configuration Designer selected for installation.](../images/icd-install.png) +On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store. ## Current Windows Configuration Designer limitations -- Windows Configuration Designer will not work properly if the Group Policy setting **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** is enabled. We recommend that you run Windows Configuration Designer on a different device, rather than change the security setting. +- Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device. - You can only run one instance of Windows Configuration Designer on your computer at a time. -- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process. +- When adding apps and drivers, all files stored in the same folder are imported, and may cause errors during the build process. -- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- The Windows Configuration Designer UI doesn't support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). -- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time. +- In Windows Configuration Designer, you can only build one project at a time. You can open multiple projects at the same time, but you can only build one at a time. -- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. +- To enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you must enable **Allow websites to prompt for information using scripted windows**: -- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. + 1. Open Internet Explorer. + 2. Go to **Settings** > **Internet Options** > **Security** > **Custom level**. + 3. Select **Allow websites to prompt for information using scripted windows** > **Enable**. - For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC. - -- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. +- If you copy a Windows Configuration Designer project from one PC to another PC, then: + + - Copy all the associated files for the deployment assets with the project, including apps and drivers. + - Copy all the files to the same path as the original PC. + + For example, when you add a driver to a provisioned package, you must copy the `.INF` file to a local directory on the PC that's running Windows Configuration Designer. If you don't copy the `.INF` file, and use a copied version of this project on a different PC, then Windows Configuration Designer might resolve the file paths to the original PC. + +- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer. Don't use external sources, like network shares or removable drives. Using local files reduces the risk of interrupting the build process from a network issue, or from disconnecting the USB device. **Next step**: [How to create a provisioning package](provisioning-create-package.md) @@ -94,27 +83,15 @@ On devices running Windows 10, you can install [the Windows Configuration Design - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +## Related articles -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - -  - -  - - - - - diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 6e54b39009..028b44c522 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -1,5 +1,5 @@ --- -title: Create a provisioning package with multivariant settings (Windows 10) +title: Create a provisioning package with multivariant settings (Windows 10/11) description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,8 +7,7 @@ ms.sitesec: library author: greg-lindsay ms.topic: article ms.localizationpriority: medium -ms.date: 11/08/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp ms.author: greglin --- @@ -19,7 +18,7 @@ ms.author: greglin **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. @@ -37,38 +36,43 @@ A **Target** can have more than one **TargetState**, and a **TargetState** can h ![Target with multiple target states and conditions.](../images/multi-target.png) -The following table describes the logic for the target definition. +The following information describes the logic for the target definition: - -
When all Condition elements are TRUE, TargetState is TRUE.Target state is true when all conditions are true
If any of the TargetState elements is TRUE, Target is TRUE, and the Id can be used for setting customizations.Target is true if any target state is true
+- When all **Condition** elements are TRUE, **TargetState** is TRUE: + + :::image type="content" source="../images/icd-multi-targetstate-true.png" alt-text="Target state is true when all conditions are true."::: + +- If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **ID** can be used for setting customizations: + + :::image type="content" source="../images/icd-multi-target-true.png" alt-text="Target is true if any target state is true"::: ### Conditions -The following table shows the conditions supported in Windows 10 provisioning for a **TargetState**: +The following table shows the conditions supported in Windows client provisioning for a **TargetState**: -| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description | -| --- | --- | --- | --- | --- | --- | -| MNC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | -| MCC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | -| SPN | P0 | Supported | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. | -| PNN | P0 | Supported | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | -| GID1 | P0 | Supported | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. | -| ICCID | P0 | Supported | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | -| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | -| UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


- 0 - Empty
- 1 - Ready
- 2 - Locked | -| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


- 0 - Slot 0
- 1 - Slot 1 | -| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. | -| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. | -| AoAc ("Always On, Always Connected") | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. | -| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). | -| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | -| Server | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. | -| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | -| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | +| Condition Name | Condition priority | Windows client for desktop editions | Value type | Value description | +| --- | --- | --- | --- | --- | +| MNC | P0 | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | +| MCC | P0 | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | +| SPN | P0 | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. | +| PNN | P0 | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | +| GID1 | P0 | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. | +| ICCID | P0 | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | +| Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | +| UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


- 0 - Empty
- 1 - Ready
- 2 - Locked | +| UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


- 0 - Slot 0
- 1 - Slot 1 | +| ProcessorType | P1 | Supported | String | Use to target settings based on the processor type. | +| ProcessorName | P1 | Supported | String | Use to target settings based on the processor name. | +| AoAc ("Always On, Always Connected") | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. | +| PowerPlatformRole | P1 | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). | +| Architecture | P1 | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | +| Server | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. | +| Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | +| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | -The matching types supported in Windows 10 are: +The matching types supported in Windows client are: | Matching type | Syntax | Example | | --- | --- | --- | @@ -79,7 +83,7 @@ The matching types supported in Windows 10 are: ### TargetState priorities -You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**. +You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evaluates each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**. A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority. @@ -281,38 +285,29 @@ In this example, the **StoreFile** corresponds to the location of the settings s ## Events that trigger provisioning -When you install the multivariant provisioning package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. +When you install the multivariant provisioning package on a Windows client device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. -The following events trigger provisioning on Windows 10 devices: +The following events trigger provisioning on Windows client devices: -| Event | Windows 10 Mobile | Windows 10 for desktop editions | -| --- | --- | --- | -| System boot | Supported | Supported | -| Operating system update | Supported | Planned | -| Package installation during device first run experience | Supported | Supported | -| Detection of SIM presence or update | Supported | Supported | -| Package installation at runtime | Supported | Supported | -| Roaming detected | Supported | Not supported | +| Event | Windows client for desktop editions | +| --- | --- | +| System boot | Supported | +| Operating system update | Planned | +| Package installation during device first run experience | Supported | +| Detection of SIM presence or update | Supported | +| Package installation at runtime | Supported | +| Roaming detected | Not supported | +## Related articles - - - - - - - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index e788dfc0a5..b7a5d07216 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,8 +1,8 @@ --- -title: Provisioning packages (Windows) -description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +title: Provisioning packages overview on Windows 10/11 +description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp ms.prod: w10 ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 09/07/2021 + --- # Provisioning packages for Windows @@ -24,9 +24,9 @@ ms.date: 09/07/2021 Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. -A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10 and 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. +Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). @@ -75,17 +75,18 @@ Provisioning packages can be: The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. +| Step | Description | Desktop wizard | Kiosk wizard | HoloLens wizard | +| --- | --- | --- | --- | --- | +| Set up device | Assign device name, enter product key to upgrade Windows, configure shared used, remove pre-installed software | ✔️ | ✔️ | ✔️ | +| Set up network | Connect to a Wi-Fi network | ✔️ | ✔️ | ✔️ | +| Account management | Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account | ✔️ | ✔️ | ✔️ | +| Bulk Enrollment in Azure AD | Enroll device in Azure Active Directory

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). | ❌ | ❌ | ❌ | +| Add applications | Install applications using the provisioning package. | ✔️ | ✔️ | ❌ | +| Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ | +| Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ | +| Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✔️ | ❌ | +| Developer Setup | Enable Developer Mode | ❌ | ❌ | ✔️ | - - - - - - - - - -
StepDescriptionDesktop wizardKiosk wizardHoloLens wizard
Set up deviceAssign device name,
enter product key to upgrade Windows,
configure shared used,
remove pre-installed software		yesyesyes
Set up networkConnect to a Wi-Fi networkyesyesyes
Account managementEnroll device in Active Directory,
enroll device in Azure Active Directory,
or create a local administrator account		yesno1yes
Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization.		no5no4no2
Add applicationsInstall applications using the provisioning package.yesyesno3
Add certificatesInclude a certificate file in the provisioning package.yesyesyes
Configure kiosk account and appCreate local account to run the kiosk mode app,
specify the app to run in kiosk mode		no6yesno7
Configure kiosk common settingsSet tablet mode,
configure welcome and shutdown screens,
turn off timeout settings		no8yesno9
Developer SetupEnable Developer Mode.no22no11yes
@@ -99,7 +100,6 @@ The following table describes settings that you can configure using the wizards - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) -- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard) @@ -112,20 +112,17 @@ The following table describes settings that you can configure using the wizards The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. -| Customization options | Examples | -|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------| +| Customization options | Examples | +|---|---| | Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | -| Applications | Windows apps, line-of-business applications | -| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | -| Certificates | Root certification authority (CA), client certificates | -| Connectivity profiles | Wi-Fi, proxy settings, Email | -| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | -| Data assets | Documents, music, videos, pictures | -| Start menu customization | Start menu layout, application pinning | -| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | - -\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager is not supported. Use the Configuration Manager console to enroll devices. - +| Applications | Windows apps, line-of-business applications | +| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service

Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager isn't supported. To enroll devices, use the Configuration Manager console. | +| Certificates | Root certification authority (CA), client certificates | +| Connectivity profiles | Wi-Fi, proxy settings, Email | +| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | +| Data assets | Documents, music, videos, pictures | +| Start menu customization | Start menu layout, application pinning | +| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). @@ -136,7 +133,7 @@ For details about the settings you can customize in provisioning packages, see [ WCD, simplified common provisioning scenarios. -![Configuration Designer options.](../images/icd.png) +:::image type="content" source="../images/icd.png" alt-text="Configuration Designer options"::: WCD supports the following scenarios for IT administrators: @@ -146,34 +143,31 @@ WCD supports the following scenarios for IT administrators: * **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. -* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use WCD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end users in the organization. IT administrators can use WCD to specify the management endpoint and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - * Microsoft Intune (certificate-based enrollment) - * AirWatch (password-string based enrollment) - * Mobile Iron (password-string based enrollment) - * Other MDMs (cert-based enrollment) + - Microsoft Intune (certificate-based enrollment) + - AirWatch (password-string based enrollment) + - MobileIron (password-string based enrollment) + - Other MDMs (cert-based enrollment) ## Learn more -For more information about provisioning, watch the following videos: +For more information about provisioning, watch the following video: -- [Provisioning Windows 10 devices with new tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) +- [Provisioning Windows client devices with new tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) -- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +## Related articles -## Related topics - -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) -- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](../mobile-devices/provisioning-configure-mobile.md) diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 4ed15d47fc..50e9c56a1e 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -1,6 +1,6 @@ --- -title: PowerShell cmdlets for provisioning Windows 10 (Windows 10) -description: +title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11) +description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,32 +8,68 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- -# PowerShell cmdlets for provisioning Windows 10 (reference) +# PowerShell cmdlets for provisioning Windows client (reference) **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. +Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. +## cmdlets +- **Add-ProvisioningPackage**: Applies a provisioning package. - - - - - - - - -
CmdletUse this cmdlet toSyntax
Add-ProvisioningPackage Apply a provisioning packageAdd-ProvisioningPackage [-Path] <string> [-ForceInstall] [-LogsFolder <string>] [-QuietInstall] [-WprpFile <string>] [<CommonParameters>]
Remove-ProvisioningPackageRemove a provisioning package Remove-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Remove-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Get-ProvisioningPackage Get information about an installed provisioning package Get-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Get-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Export-ProvisioningPackage Extract the contents of a provisioning package Export-ProvisioningPackage -PackageId <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Export-ProvisioningPackage -Path <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
Install-TrustedProvisioningCertificate Adds a certificate to the Trusted Certificate store Install-TrustedProvisioningCertificate <path to local certificate file on disk>
Get-TrustedProvisioningCertificate List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the Uninstall-TrustedProvisioningCertificate cmdletGet-TrustedProvisioningCertificate
Uninstall-TrustedProvisioningCertificate Remove a previously installed provisioning certificateUninstall-TrustedProvisioningCertificate <thumbprint>
+ Syntax: + + - `Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-QuietInstall] [-WprpFile ] []` + +- **Remove-ProvisioningPackage**: Removes a provisioning package. + + Syntax: + + - `Remove-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []` + - `Remove-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []` + - `Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []` + +- **Get-ProvisioningPackage**: Gets information about an installed provisioning package. + + Syntax: + + - `Get-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []` + - `Get-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []` + - `Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []` + +- **Export-ProvisioningPackage**: Extracts the contents of a provisioning package. + + Syntax: + + - `Export-ProvisioningPackage -PackageId -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []` + - `Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []` + +- **Install-TrustedProvisioningCertificate**: Adds a certificate to the Trusted Certificate store. + + Syntax: + + - `Install-TrustedProvisioningCertificate ` + +- **Get-TrustedProvisioningCertificate**: Lists all installed trusted provisioning certificates. Use this cmdlet to get the certificate thumbprint to use with the `Uninstall-TrustedProvisioningCertificate` cmdlet. + + Syntax: + + - `Get-TrustedProvisioningCertificate` + +- **Uninstall-TrustedProvisioningCertificate**: Removes a previously installed provisioning certificate. + + Syntax: + + - `Uninstall-TrustedProvisioningCertificate ` >[!NOTE] > You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage` @@ -51,9 +87,9 @@ Trace logs are captured when using cmdlets. The following logs are available in >When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. -## Related topics +## Related articles -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) @@ -63,15 +99,3 @@ Trace logs are captured when using cmdlets. The following logs are available in - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - - - - - - - - - diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 6e01640c44..a894ed2312 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -1,6 +1,6 @@ --- -title: Use a script to install a desktop app in provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +title: Use a script to install a desktop app in provisioning packages (Windows 10/11) +description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,8 +8,7 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- @@ -19,14 +18,9 @@ manager: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see [Remarks](#remarks) below). - ->**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher - ->[!NOTE] ->This scenario is only supported for installing applications on Windows 10 for desktop, version 1511 or higher. +This walkthrough describes how to include scripts in a Windows client provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed. However, some care is needed to avoid unintended behavior during script execution (see [Remarks](#remarks) below). ## Assemble the application assets @@ -34,12 +28,11 @@ This walkthrough describes how to leverage the ability to include scripts in a W 2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages. - ## Cab the application assets -1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory. +1. Create a `.DDF` file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory. - ``` + ```ddf ;*** MSDN Sample Source Code MakeCAB Directive file example ; @@ -89,15 +82,15 @@ This walkthrough describes how to leverage the ability to include scripts in a W 2. Use makecab to create the cab files. - ``` + ```makecab Makecab -f ``` ## Create the script to install the application -In Windows 10, version 1607 and earlier, create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. +Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. -In Windows 10, version 1703, you don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). +You don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). >[!NOTE] >All actions performed by the script must happen silently, showing no UI and requiring no user interaction. @@ -108,15 +101,16 @@ In Windows 10, version 1703, you don’t need to create an orchestrator script. Granular logging is not built in, so the logging must be built into the script itself. Here is an example script that logs ‘Hello World’ to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you will see in the following examples, it’s recommended that you log each action that your script performs. -``` +```log set LOGFILE=%SystemDrive%\HelloWorld.log echo Hello, World >> %LOGFILE% ``` + ### .exe example -This example script shows how to create a log output file on the system drive, install an app from a .exe installer, and echo the results to the log file. +This example script shows how to create a log output file on the system drive, install an app from an `.exe` installer, and echo the results to the log file. -``` +```exe set LOGFILE=%SystemDrive%\Fiddler_install.log echo Installing Fiddler.exe >> %LOGFILE% fiddler4setup.exe /S >> %LOGFILE% @@ -127,7 +121,7 @@ echo result: %ERRORLEVEL% >> %LOGFILE% This is the same as the previous installer, but installs the app from an MSI installer. Notice that msiexec is called with the /quiet flag in order to meet the silent requirement of scripts run from within a provisioning package. -``` +```msi set LOGFILE=%SystemDrive%\IPOverUsb_install.log echo Installing IpOverUsbInstaller.msi >> %LOGFILE% msiexec /i IpOverUsbInstaller.msi /quiet >> %LOGFILE% @@ -136,9 +130,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE% ### PowerShell example -This is an example script with logging that shows how to run a powershell script from the provisioning commands setting. Note that the PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction. +This is an example script with logging that shows how to run a PowerShell script from the provisioning commands setting. The PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction. -``` +```powershell set LOGFILE=%SystemDrive%\my_powershell_script.log echo Running my_powershell_script.ps1 in system context >> %LOGFILE% echo Executing "PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1" >> %LOGFILE% @@ -147,11 +141,12 @@ echo result: %ERRORLEVEL% >> %LOGFILE% ``` + ### Extract from a .CAB example -This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe +This example script shows expansion of a .cab from the provisioning commands script, and installation of the expanded setup.exe -``` +```cab set LOGFILE=%SystemDrive%\install_my_app.log echo Expanding installer_assets.cab >> %LOGFILE% expand -r installer_assets.cab -F:* . >> %LOGFILE% @@ -163,9 +158,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE% ### Calling multiple scripts in the package -In Windows 10, version 1703, your provisioning package can include multiple CommandLines. +Your provisioning package can include multiple CommandLines. -In Windows 10, version 1607 and earlier, you are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. +You are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. Here’s a table describing this relationship, using the PowerShell example from above: @@ -174,16 +169,16 @@ Here’s a table describing this relationship, using the PowerShell example from | --- | --- | --- | | ProvisioningCommands/DeviceContext/CommandLine | cmd /c PowerShell_Example.bat | The command line needed to invoke the orchestrator script. | | ProvisioningCommands/DeviceContext/CommandFiles | PowerShell_Example.bat | The single orchestrator script referenced by the command line that handles calling into the required installers or performing any other actions such as expanding cab files. This script must do the required logging. | -| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. | +| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example, there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. | -### Add script to provisioning package (Windows 10, version 1607) +### Add script to provisioning package When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: -``` +```bat cmd /c InstallMyApp.bat ``` @@ -201,20 +196,21 @@ When you are done, [build the package](provisioning-create-package.md#build-pack ### Remarks + 1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience: a. Echo to console b. Display anything on the screen c. Prompt the user with a dialog or install wizard 2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool. -3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options). +3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows client](https://support.microsoft.com/help/12415/windows-10-recovery-options). 4. The CommandFile assets are deployed on the device to a temporary folder unique to each package. - - For Windows 10, version 1607 and earlier: - a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` - b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` - - For Windows 10, version 1703: - a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + + 1. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package. - b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + + 2. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + 5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script. 6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. @@ -223,15 +219,15 @@ When you are done, [build the package](provisioning-create-package.md#build-pack 7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed -## Related topics +## Related articles -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 02e79a47a9..4a25836a61 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -1,6 +1,6 @@ --- -title: Uninstall a provisioning package - reverted settings (Windows 10) -description: This topic lists the settings that are reverted when you uninstall a provisioning package. +title: Uninstall a provisioning package - reverted settings (Windows 10/11) +description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,8 +8,7 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: gkomatsu manager: dansimp --- @@ -19,9 +18,9 @@ manager: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -When you uninstall a provisioning package, only certain settings are revertible. This topic lists the settings that are reverted when you uninstall a provisioning package. +When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package. As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**. @@ -79,19 +78,15 @@ Here is the list of revertible settings based on configuration service providers -## Related topics +## Related articles -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Provisioning packages for Windows client](provisioning-packages.md) +- [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - -  - -  \ No newline at end of file diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index ed5c4ee3a3..f47dd5956d 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -1,6 +1,6 @@ --- -title: Set up a shared or guest PC with Windows 10 (Windows 10) -description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios. +title: Set up a shared or guest PC with Windows 10/11 +description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios. keywords: ["shared pc mode"] ms.prod: w10 ms.mktglfcycl: manage @@ -9,30 +9,31 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp --- -# Set up a shared or guest PC with Windows 10 +# Set up a shared or guest PC with Windows 10/11 **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. +Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise. > [!NOTE] -> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. +> If you're interested in using Windows client for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. ## Shared PC mode concepts -A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. +A Windows client PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. ### Account models -It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode. +It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows client has a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode. ### Account management -When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. +When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. ### Maintenance and sleep Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. @@ -73,7 +74,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | | Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. | | Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) | -| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | +| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows client configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | | Customization: SetPowerPolicies | When set as **True**:
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) | | Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | @@ -83,7 +84,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). @@ -112,12 +113,12 @@ You can configure Windows to be in shared PC mode in a couple different ways: 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. -- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: - + ```powershell $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" $sharedPC.EnableSharedPCMode = $True diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index 80bbd5b7da..d545a5cc63 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -1,8 +1,8 @@ --- -title: Set up digital signs on Windows 10 (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). +title: Set up digital signs on Windows 10/11 +description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] @@ -11,31 +11,30 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 09/20/2021 ms.topic: article --- -# Set up digital signs on Windows 10 - +# Set up digital signs on Windows 10/11 **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. -For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. +For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content. >[!TIP] >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). -Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+. >[!NOTE] >If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business). - -This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience). 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) @@ -43,24 +42,24 @@ This procedure explains how to configure digital signage using Kiosk Browser on 3. Open Windows Configuration Designer and select **Provision kiosk devices**. 4. Enter a friendly name for the project, and select **Finish**. 5. On **Set up device**, select **Disabled**, and select **Next**. -6. On **Set up network**, enable network setup. +6. On **Set up network**, enable network setup: - Toggle **On** wireless network connectivity. - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. 7. On **Account management**, select **Disabled**, and select **Next**. -8. On **Add applications**, select **Add an application**. +8. On **Add applications**, select **Add an application**: - For **Application name**, enter `Kiosk Browser`. - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. - The **Package family name** is populated automatically. - Select **Next**. 9. On **Add certificates**, select **Next**. -10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage: - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. - For **App type**, select **Universal Windows App**. - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`. 11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. -12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu: - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. - In **BlockedUrl**, enter `*`. - In **DefaultUrl**, enter `https://www.contoso.com/menu`. @@ -79,16 +78,3 @@ This procedure explains how to configure digital signage using Kiosk Browser on 20. Copy the .ppkg file to a USB drive. 21. Attach the USB drive to the device that you want to use for your digital sign. 22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. - - - - - - - - - - - - - diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index d26c7b384d..3c2d63c994 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -10,7 +10,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: MandiOhlinger -ms.date: 09/13/2021 ms.localizationpriority: medium --- @@ -57,6 +56,17 @@ For information on customizing the Start menu layout using policy, see [Customiz ## Existing CSP policies that Windows 11 doesn't support - [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` + - [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps) + - Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu` + - [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist) + - Group policy: + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` + - [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus) + - Group policy: + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md new file mode 100644 index 0000000000..2d7577e32a --- /dev/null +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -0,0 +1,67 @@ +--- +title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs +description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. +ms.assetid: +manager: dougeby +ms.author: mandia +ms.reviewer: chataylo +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +author: MandiOhlinger +ms.localizationpriority: medium +--- + +# Supported configuration service provider (CSP) policies for Windows 11 taskbar + +**Applies to**: + +- Windows 11 + +The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. + +This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). + +For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). + +## Existing CSP policies that Windows 11 taskbar supports + +- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` + - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar + +- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar` + - Local setting: None + +## Existing CSP policies that Windows 11 doesn't support + +The following list includes some of the CSP policies that aren't supported on Windows 11: + +- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings` + +- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars` + +- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars` + +- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location` + +- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar` + +- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar` + +- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items` + +- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar` + +- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar` diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 8daccb955a..18817d1d38 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -52,6 +52,8 @@ items: - name: Using a proxy with Delivery Optimization href: update/delivery-optimization-proxy.md + - name: Delivery Optimization client-service communication + href: update/delivery-optimization-workflow.md - name: Best practices for feature updates on mission-critical devices href: update/feature-update-mission-critical.md - name: Windows 10 deployment considerations diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md new file mode 100644 index 0000000000..4336f3ab23 --- /dev/null +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -0,0 +1,44 @@ +--- +title: Delivery Optimization client-service communication explained +manager: dougeby +description: Details of how Delivery Optimization communicates with the server when content is requested to download. +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: carmenf +ms.localizationpriority: medium +ms.author: carmenf +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Delivery Optimization client-service communication explained + +**Applies to** + +- Windows 10 +- Windows 11 + +## Download request workflow + +This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification. + + +1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). +2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer. +3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file. +4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download. +5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to “simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed. +6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it. + +## Delivery Optimization service endpoint and data information + +|Endpoint hostname|Port|Name|Description|Data sent from the computer to the endpoint +|--------------------------------------------|--------|---------------|-----------------------|------------------------| +| geover-prod.do.dsp.mp.microsoft.com
geo-prod.do.dsp.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox)
**doClientVersion**: The version of the DoSvc client
**groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) | +| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping Id
**CacheHost**: Cache host id | +| cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id
**CacheHost**: Cache host id | +| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionId**: Client partitioning hint
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identified of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | +| dl.delivery.mp.microsoft.com
emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index c62f135de1..73f4b8e93f 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -1,6 +1,6 @@ --- -title: Deploy Windows 10 updates with Configuration Manager (Windows 10) -description: Deploy Windows 10 updates with Configuration Manager +title: Deploy Windows client updates with Configuration Manager +description: Deploy Windows client updates with Configuration Manager ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -15,6 +15,7 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md index 5079d8a8f7..e871e5e68c 100644 --- a/windows/deployment/update/deploy-updates-intune.md +++ b/windows/deployment/update/deploy-updates-intune.md @@ -1,6 +1,6 @@ --- title: Deploy updates with Intune -description: Deploy Windows 10 updates with Intune +description: Deploy Windows client updates with Intune ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -15,6 +15,7 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows 10 updates. \ No newline at end of file +See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows client updates. \ No newline at end of file diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index fc45328c40..13a811171f 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -16,15 +16,18 @@ ms.custom: seo-marvel-apr2020 --- # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager -> Applies to: Windows 10 +**Applies to** -In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features. +- Windows 10 +- Windows 11 + +In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features. As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions. -In Windows 10 version 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired. +In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired. In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location. diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 3758d0c313..01eadf3247 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -16,7 +16,10 @@ ms.topic: article # Update Windows installation media with Dynamic Update -**Applies to**: Windows 10, Windows 11 +**Applies to** + +- Windows 10 +- Windows 11 This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process. diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index addb9d4952..cad3343d01 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -15,9 +15,14 @@ ms.topic: article # Migrating and acquiring optional Windows content during updates +**Applies to** + +- Windows 10 +- Windows 11 + This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term. -When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows 10 setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows 10 feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update). +When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update). Neither approach contains the full set of Windows optional features that a user’s device might need, so those features are not migrated to the new operating system. Further, those features are not available in Configuration Manager or WSUS for on-premises acquisition after a feature update @@ -29,7 +34,7 @@ Optional content includes the following items: - Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0) - Local Experience Packs -Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network. +Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network. ## Why is acquiring optional content challenging? @@ -37,17 +42,17 @@ The challenges surrounding optional content typically fall into two groups: ### Incomplete operating system updates -The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating is written to the user’s disk alongside the old version. This is a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When this happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system. +The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user’s disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system. -Windows Setup needs access to the optional content to do this. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.” +Windows Setup needs access to the optional content. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.” ### User-initiated feature acquisition failure -The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows 10, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, additional language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.” +The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, more language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.” ## Options for acquiring optional content -Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows 10. In this table, +Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows client. In this table, - Migration means it supports optional content migration during an update. - Acquisition means it supports optional content acquisition (that is, initiated by the user). @@ -70,30 +75,30 @@ Most commercial organizations understand the pain points outlined above, and dis Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios "just work" when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back. -Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows 10, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS. +Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS. -You should consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows 10 device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. See [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, as well as our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic. +Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows client device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more info, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, and our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic. ### Option 2: Enable Dynamic Update -If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows 10 feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows 10 Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following: +If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following: - Setup updates: Fixes to Setup.exe binaries or any files that Setup uses for feature updates. - Safe OS updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE). -- Servicing stack updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update. +- Servicing stack updates: Fixes that are necessary to address the Windows servicing stack issue and thus required to complete the feature update. - Latest cumulative update: Installs the latest cumulative quality update. - Driver updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update. -In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows 10 Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details. +In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details. -Starting in Windows 10, version 2004, Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will go through an additional reboot for the latest cumulative update since it was not available during the feature update. +Starting in Windows 10, version 2004, Dynamic Update can be configured with more options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it was not available during the feature update. -One additional consideration when using Dynamic Update is the impact to your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available. +One further consideration when using Dynamic Update is the affect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available. For devices that aren’t connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog. ### Option 3: Customize the Windows Image before deployment - For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This is sometimes referred to as customizing the installation media. + For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This activity is sometimes referred to as customizing the installation media. You can customize the Windows image in these ways: @@ -104,24 +109,24 @@ You can customize the Windows image in these ways: - Adding or removing languages - Adding or removing Features on Demand -The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This allows for device-specific image customization based on what's currently installed. +The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed. ### Option 4: Install language features during deployment -A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows 10 Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details. +A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details. -When Setup runs, it will inject these packages into the new operating system during installation. This means it can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, as well as the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled). +When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled). -This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting. For some commercial customers, this is implemented as their primary pain point has to do with language support immediately after the update. +This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting. ### Option 5: Install optional content after deployment -This option is like Option 3 in that you customize the operating system image with additional optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality. +This option is like Option 3 in that you customize the operating system image with more optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality. ### Option 6: Configure an alternative source for optional content -Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of additional content to be hosted within your network (additional to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy: +Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of more content to be hosted within your network (in addition to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy: - The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon. - This setting does not support installing language packs from Alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired. @@ -141,7 +146,7 @@ For more information about the Unified Update Platform and the approaches outlin - [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) - [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) - [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) -- [Updating Windows 10 media with Dynamic Update packages](media-dynamic-update.md) +- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md) - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) @@ -564,7 +569,7 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null ### Saving optional content in the source operating system -To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This will limit the files to copy. +To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action will limit the files to copy. ```powershell diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 6b9563437a..15a43dfe2f 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -1,5 +1,5 @@ --- -title: Servicing stack updates (Windows 10) +title: Servicing stack updates description: In this article, learn how servicing stack updates improve the code that installs the other updates. ms.prod: w10 ms.mktglfcycl: manage @@ -20,7 +20,8 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows 10, Windows 8.1, Windows 8, Windows 7 +- Windows 10 +- Windows 11 ## What is a servicing stack update? Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. @@ -38,7 +39,7 @@ Servicing stack update are released depending on new issues or vulnerabilities. ## What's the difference between a servicing stack update and a cumulative update? -Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. +Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index f700affa62..55c83a3ecc 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -16,6 +16,10 @@ ms.topic: article --- # Configuring Microsoft Endpoint Manager devices for Update Compliance +**Applies to** + +- Windows 10 +- Windows 11 > [!NOTE] > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 177e2b07ca..4070bb332d 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -12,7 +12,7 @@ ms.collection: M365-modern-desktop ms.topic: article --- -# Build deployment rings for Windows 10 updates +# Build deployment rings for Windows client updates **Applies to** @@ -37,15 +37,15 @@ Table 1 provides an example of the deployment rings you might use. | Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example | | --- | --- | --- | --- | --- | -| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel | -| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback
Pause updates if there are critical issues | -| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization | +| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the Semi-Annual channel | +| Broad | Semi-Annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback
Pause updates if there are critical issues | +| Critical | Semi-Annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for some time by most of the organization | >[!NOTE] >In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. -As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. +As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. ## Steps to manage updates for Windows client @@ -54,7 +54,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is | --- | --- | | ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | | ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | Build deployment rings for Windows client updates (this topic) | +| ![done.](images/checklistdone.png) | Build deployment rings for Windows client updates (this article) | | ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) | | ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) | | ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index bc2accd828..3556cec273 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -27,13 +27,13 @@ ms.topic: article WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides. -When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. +When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. -## Requirements for Windows 10 servicing with WSUS +## Requirements for Windows client servicing with WSUS -To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version: +To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version: - WSUS 10.0.14393 (role in Windows Server 2016) - WSUS 10.0.17763 (role in Windows Server 2019) - WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2) @@ -109,7 +109,7 @@ As Windows clients refresh their computer policies (the default Group Policy ref ## Create computer groups in the WSUS Administration Console >[!NOTE] ->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. +>The following procedures use the groups from Table 1 in [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) as examples. You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. @@ -242,10 +242,11 @@ The next time the clients in the **Ring 4 Broad Business Users** security group For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS. >[!NOTE] ->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. +>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel (or General Availability Channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. -**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring** +**To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring** +This example uses Windows 10, but the process is the same for Windows 11. 1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**. @@ -274,16 +275,16 @@ For clients that should have their feature updates approved as soon as they’re >[!NOTE] >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait. -Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week. +Now, whenever Windows client feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week. > [!WARNING] -> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large. +> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows client version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large. ## Manually approve and deploy feature updates You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated. -To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates. +To simplify the manual approval process, start by creating a software update view that contains only Windows 10 (in this example) updates. The process is the same for Windows 11 updates. > [!NOTE] > If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer. diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md index bdc0a8d662..bef5342d10 100644 --- a/windows/deployment/update/waas-wufb-csp-mdm.md +++ b/windows/deployment/update/waas-wufb-csp-mdm.md @@ -16,7 +16,8 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -29,7 +30,7 @@ An IT administrator can set policies for Windows Update for Business by using Mi To manage updates with Windows Update for Business, you should prepare with these steps, if you haven't already: -- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. +- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows client. - Allow access to the Windows Update service. @@ -39,7 +40,7 @@ You can control when updates are applied, for example by deferring when an updat ### Determine which updates you want offered to your devices -Both Windows 10 feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device. +Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device. To enable Microsoft Updates use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice). @@ -194,22 +195,3 @@ When you disable this setting, users will see **Some settings are managed by you If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess). - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 8922733a56..fe639fa3d6 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -1,5 +1,5 @@ --- -title: Walkthrough use Intune to configure Windows Update for Business (Windows 10) +title: Walkthrough use Intune to configure Windows Update for Business description: In this article, learn how to configure Windows Update for Business settings using Microsoft Intune. ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index eb178f7528..ac67414ec6 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -7,9 +7,9 @@ audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: +ms.reviewer: kaushika manager: laurawi -ms.topic: article +ms.topic: troubleshooting ms.custom: seo-marvel-apr2020 --- @@ -22,22 +22,198 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. +## 0x8024402F -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | -| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External .cab file processing completed with some errors | This can be caused by the Lightspeed Rocket for web filtering software.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed Rocket. | + +## 0x80242006 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename the software redistribution folder and try to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | + +## 0x80070BC9 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. Restart the system to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | + +## 0x80200053 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| + +## 0x80072EFD or 0x80072EFE or 0x80D02002 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxies that block Microsoft download URLs.
Take a network monitor trace to understand better. \ | + +## 0X8007000D + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_INVALID_DATA | Indicates data that isn't valid was downloaded or corruption occurred.| Attempt to re-download the update and start installation. | + +## 0x8024A10A + +| Message | Description | Mitigation | +|---------|-------------|------------| +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity. The system fails to respond, leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the installation. | + +## 0x80240020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because no interactive user is signed in. | Sign in to the device to start the installation and allow the device to restart. | + +## 0x80242014 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows updates require the device to be restarted. Restart the device to complete update installation. | + +## 0x80246017 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| + +## 0x8024000B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | + +## 0x8024000E + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_XML_INVALID | Windows Update Agent found information in the update's XML data that isn't valid. | Certain drivers contain additional metadata information in Update.xml, which Orchestrator can interpret as data that isn't valid. Ensure that you have the latest Windows Update Agent installed on the device. | + +## 0x8024D009 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | + +## 0x80244007 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + +## 0x80070422 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.
| + +## 0x800f0821 + + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the has installed the update in KB4493473 or later.| + +## 0x800f0825 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | + +## 0x800F0920 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_HANG_DETECTED; A failure to respond was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has stopped responding. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the device has installed the update in KB4493473 or later.| + +## 0x800f081f + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | + +## 0x800f0831 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | + +## 0x80070005 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be acess denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. | + +## 0x80070570 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device.| + + +## 0x80070003 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. | + + +## 0x80070020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. | + +## 0x80073701 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically, a component store corruption caused when a component is in a partially installed state. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | + +## 0x8007371b + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | + +## 0x80072EFE + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.
From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE*
Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you’re using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | + +## 0x80072F8F + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/). + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures).
If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
`http://windowsupdate.microsoft.com`
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com | + +## 0x80240022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is that antivirus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | + +## 0x8024401B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own update source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager, due to a proxy error.
Verify the proxy settings on the client. The Windows Update Agent uses WinHTTP to scan for available updates. When there is a proxy server between the client and the update source, the proxy settings must be configured correctly on the clients to enable them to communicate by using the source's FQDN.
Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. | + + +## 0x80244022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. | diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index b9eb08a9e3..fd1d2c3d80 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -18,6 +18,7 @@ author: jaimeo **Applies to**: - Windows 10 +- Windows 11 - Windows Server 2016 - Windows Server 2019 diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 9b9c40977d..f191ffdf77 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -1,5 +1,5 @@ --- -title: Active Directory Security Groups (Windows 10) +title: Active Directory Security Groups description: Active Directory Security Groups ms.prod: w10 ms.mktglfcycl: deploy @@ -12,14 +12,15 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/21/2021 ms.reviewer: --- # Active Directory Security Groups **Applies to** -- Windows Server 2016 +- Windows Server 2016 or later +- Windows 10 or later This reference topic for the IT professional describes the default Active Directory security groups. @@ -1489,7 +1490,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-512

+

S-1-5-21-<domain>-512

Type

@@ -1885,7 +1886,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-21-<domain>-498

+

S-1-5-21-<root domain>-498

Type

diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 405b6710ad..d2bee6b47c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -71,7 +71,7 @@ sections: - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? answer: | - Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 61eb44f8f8..ccb1a890ff 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -33,6 +33,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes > Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: + - [Prepare Azure AD Connect](#prepare-azure-ad-connect) - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) @@ -42,12 +43,14 @@ Steps you will perform include: - [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile) ## Requirements + You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on. - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role ### High Availability + The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). @@ -61,9 +64,11 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. ### Network Requirements + All communication occurs securely over port 443. ## Prepare Azure AD Connect + Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. @@ -71,6 +76,7 @@ Most environments change the user principal name suffix to match the organizatio To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. ### Verify AAD Connect version + Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. 1. Open **Synchronization Services** from the **Azure AD Connect** folder. @@ -78,6 +84,7 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized + The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ @@ -89,6 +96,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni ## Prepare the Network Device Enrollment Services (NDES) Service Account ### Create the NDES Servers global security group + The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -100,6 +108,7 @@ Sign-in to a domain controller or management workstation with access equivalent 5. Click **OK**. ### Add the NDES server to the NDES Servers global security group + Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. @@ -111,6 +120,7 @@ Sign-in to a domain controller or management workstation with access equivalent > For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. ### Create the NDES Service Account + The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -124,6 +134,7 @@ Sign-in to a domain controller or management workstation with access equivalent > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. ### Create the NDES Service User Rights Group Policy object + The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -141,6 +152,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object + The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -153,6 +165,7 @@ Sign-in to a domain controller or management workstation with access equivalent 6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. ### Deploy the NDES Service User Rights Group Policy object + The application of the **NDES Service User Rights** Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -165,6 +178,7 @@ Sign-in to a domain controller or management workstation with access equivalent > Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. ## Prepare Active Directory Certificate Authority + You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will - Configure the certificate authority to let Intune provide validity periods @@ -173,6 +187,7 @@ You must prepare the public key infrastructure and the issuing certificate autho - Publish certificate templates ### Configure the certificate authority to let Intune provide validity periods + When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue. > [!NOTE] @@ -181,12 +196,15 @@ When deploying certificates using Microsoft Intune, you have the option of provi Sign-in to the issuing certificate authority with access equivalent to _local administrator_. 1. Open an elevated command prompt and type the following command: + ``` certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` -2. Restart the **Active Directory Certificate Services** service. + +1. Restart the **Active Directory Certificate Services** service. ### Create an NDES-Intune authentication certificate template + NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. @@ -207,6 +225,7 @@ Sign-in to the issuing certificate authority or management workstations with _Do 10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template + During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. @@ -225,10 +244,11 @@ Sign in a certificate authority or management workstations with _Domain Admin eq 8. On the **Subject** tab, select **Supply in the request**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. -12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. Close the console. +11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Close the console. ### Publish certificate templates + The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. > [!Important] @@ -244,16 +264,19 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 6. Close the console. ## Install and Configure the NDES Role + This section includes the following topics: -* Install the Network Device Enrollment Service Role -* Configure the NDES service account -* Configure the NDES role and Certificate Templates -* Create a Web Application Proxy for the Internal NDES URL. -* Enroll for an NDES-Intune Authentication Certificate -* Configure the Web Server Certificate for NDES -* Verify the configuration + +- Install the Network Device Enrollment Service Role +- Configure the NDES service account +- Configure the NDES role and Certificate Templates +- Create a Web Application Proxy for the Internal NDES URL. +- Enroll for an NDES-Intune Authentication Certificate +- Configure the Web Server Certificate for NDES +- Verify the configuration ### Install the Network Device Enrollment Services Role + Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority. Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. @@ -272,11 +295,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) 7. Click **Next** on the **Web Server Role (IIS)** page. 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. - * **Web Server > Security > Request Filtering** - * **Web Server > Application Development > ASP.NET 3.5**. - * **Web Server > Application Development > ASP.NET 4.5**. . - * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** - * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** + + - **Web Server > Security > Request Filtering** + - **Web Server > Application Development > ASP.NET 3.5**. + - **Web Server > Application Development > ASP.NET 4.5**. . + - **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** + - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** + ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. > [!IMPORTANT] @@ -284,9 +309,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png) ### Configure the NDES service account + This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation #### Add the NDES service account to the IIS_USRS group + Sign-in the NDES server with access equivalent to _local administrator_. 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). @@ -295,10 +322,12 @@ Sign-in the NDES server with access equivalent to _local administrator_. 4. Close the management console. #### Register a Service Principal Name on the NDES Service account + Sign-in the NDES server with access equivalent to _Domain Admins_. 1. Open an elevated command prompt. 2. Type the following command to register the service principal name + ``` setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] ``` @@ -313,6 +342,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_. ![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png) #### Configure the NDES Service account for delegation + The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation. Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. @@ -332,9 +362,11 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates + This task configures the NDES role and the certificate templates the NDES server issues. #### Configure the NDES Role + Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. > [!NOTE] @@ -355,13 +387,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**. ![NDES Confirmation.](images/aadjcert/ndesconfig05.png) -8. Click **Close** after the configuration completes. +9. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES + A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. -* Digital Signature -* Key Encipherment -* Key Encipherment, Digital Signature + +- Digital Signature +- Key Encipherment +- Key Encipherment, Digital Signature Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names. @@ -380,6 +414,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. 3. Type the following command: + ``` reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] ``` @@ -387,6 +422,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. ``` reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication ``` + 4. Type **Y** when the command asks for permission to overwrite the existing value. 5. Close the command prompt. @@ -394,6 +430,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. > Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`). ### Create a Web Application Proxy for the internal NDES URL. + Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. @@ -403,6 +440,7 @@ Azure AD Application proxies are serviced by lightweight Application Proxy Conne Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner. #### Download and Install the Application Proxy Connector Agent + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. @@ -424,6 +462,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. @@ -436,6 +475,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 6. Click **Save**. #### Create the Azure Application Proxy + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. @@ -456,6 +496,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate. ### Enroll the NDES-Intune Authentication certificate + This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server. Sign-in the NDES server with access equivalent to _local administrators_. @@ -470,10 +511,11 @@ Sign-in the NDES server with access equivalent to _local administrators_. ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. -9. Click **Enroll** -10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. +10. Click **Enroll** +11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. ### Configure the Web Server Role + This task configures the Web Server role on the NDES server to use the server authentication certificate. Sign-in the NDES server with access equivalent to _local administrator_. @@ -491,19 +533,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. 8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration + This task confirms the TLS configuration for the NDES server. Sign-in the NDES server with access equivalent to _local administrator_. #### Disable Internet Explorer Enhanced Security Configuration + 1. Open **Server Manager**. Click **Local Server** from the navigation pane. 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. 4. Close **Server Manager**. #### Test the NDES web server + 1. Open **Internet Explorer**. 2. In the navigation bar, type + ``` https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` @@ -516,16 +562,18 @@ A web page similar to the following should appear in your web browser. If you d Confirm the web site uses the server authentication certificate. ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png) - ## Configure Network Device Enrollment Services to work with Microsoft Intune + You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. - Configure NDES to support long URLs ### Configure NDES and HTTP to support long URLs + Sign-in the NDES server with access equivalent to _local administrator_. #### Configure the Default Web Site + 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. @@ -539,18 +587,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. 10. Click **OK**. Close **Internet Information Services (IIS) Manager**. #### Configure Parameters for HTTP.SYS + 1. Open an elevated command prompt. 2. Run the following commands: + ``` reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 ``` + 3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector + The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. ### Download Intune Certificate Connector + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). @@ -561,6 +614,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Sign-out of the Microsoft Endpoint Manager admin center. ### Install the Intune Certificate Connector + Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. @@ -588,6 +642,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_. ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector + Sign-in the NDES server with access equivalent to _domain administrator_. 1. The **NDES Connector** user interface should be open from the last task. @@ -608,9 +663,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_. ### Configure the NDES Connector for certificate revocation (**Optional**) + Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). #### Enabling the NDES Service account for revocation + Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. 1. Start the **Certification Authority** management console. @@ -620,6 +677,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation + Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). @@ -628,19 +686,24 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector + Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. 2. Type the following command to confirm the NDES Connector's last connection time is current. + ``` reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus ``` + 3. Close the command prompt. 4. Open **Internet Explorer**. 5. In the navigation bar, type: + ``` https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) @@ -649,6 +712,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile ### Create an AADJ WHFB Certificate Users Group + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. @@ -663,6 +727,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 9. Click **Create**. ### Create a SCEP Certificate Profile + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). @@ -697,6 +762,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). @@ -710,13 +776,17 @@ Sign-in a workstation with access equivalent to a _domain user_. You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. +> [!NOTE] +> The Passport for Work configuration service provider (CSP) which is used to manage Windows Hello for Business with Mobile Device Management (MDM) contains a policy called UseCertificateForOnPremAuth. This policy is not needed when deploying certificates to Windows Hello for Business users through the instructions outlined in this document and should not be configured. Devices managed with MDM where UseCertificateForOnPremAuth is enabled will fail a prerequisite check for Windows Hello for Business provisioning. This failure will block users from setting up Windows Hello for Business if they don't already have it configured. + ## Section Review + > [!div class="checklist"] -> * Requirements -> * Prepare Azure AD Connect -> * Prepare the Network Device Enrollment Services (NDES) Service Account -> * Prepare Active Directory Certificate Authority -> * Install and Configure the NDES Role -> * Configure Network Device Enrollment Services to work with Microsoft Intune -> * Download, Install, and Configure the Intune Certificate Connector -> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) +> - Requirements +> - Prepare Azure AD Connect +> - Prepare the Network Device Enrollment Services (NDES) Service Account +> - Prepare Active Directory Certificate Authority +> - Install and Configure the NDES Role +> - Configure Network Device Enrollment Services to work with Microsoft Intune +> - Download, Install, and Configure the Intune Certificate Connector +> - Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index b4a6ed10da..b849c9ce8a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -45,7 +45,7 @@ For the most efficient deployment, configure these technologies in order beginni
## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) +1. [Overview](hello-hybrid-key-trust.md) 2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index bbb6ddc586..907bcfc24c 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,5 +1,5 @@ --- -title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) +title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11) description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. ms.prod: w10 ms.mktglfcycl: deploy @@ -8,16 +8,17 @@ ms.pagetype: security, networking author: dansimp ms.author: dansimp ms.localizationpriority: medium -ms.date: 02/08/2018 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp --- # How to configure Diffie Hellman protocol over IKEv2 VPN connections ->Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10 +>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10, Windows 11 + +In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. -In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. ## VPN server @@ -28,7 +29,7 @@ For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-V Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy ``` -On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server. +On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server. ```powershell Set-VpnServerIPsecConfiguration -CustomPolicy diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 21c295bad1..510a5a9e76 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,12 +1,12 @@ --- -title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10) +title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11) description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dansimp -ms.date: 04/19/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 2c0a581e8d..77824138a9 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -1,5 +1,5 @@ --- -title: VPN authentication options (Windows 10) +title: VPN authentication options (Windows 10 and Windows 11) description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic). @@ -27,7 +27,7 @@ Windows supports a number of EAP authentication methods. MethodDetails EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)
  • User name and password authentication
  • Winlogon credentials - can specify authentication with computer sign-in credentials
-EAP-Transport Layer Security (EAP-TLS)
  • Supports the following types of certificate authentication
    • Certificate with keys in the software Key Storage Provider (KSP)
    • Certificate with keys in Trusted Platform Module (TPM) KSP
    • Smart card certficates
    • Windows Hello for Business certificate
  • Certificate filtering
    • Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
    • Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
  • Server validation - with TLS, server validation can be toggled on or off
    • Server name - specify the server to validate
    • Server certificate - trusted root certificate to validate the server
    • Notification - specify if the user should get a notification asking whether to trust the server or not
+EAP-Transport Layer Security (EAP-TLS)
  • Supports the following types of certificate authentication
    • Certificate with keys in the software Key Storage Provider (KSP)
    • Certificate with keys in Trusted Platform Module (TPM) KSP
    • Smart card certificates
    • Windows Hello for Business certificate
  • Certificate filtering
    • Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
    • Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
  • Server validation - with TLS, server validation can be toggled on or off
    • Server name - specify the server to validate
    • Server certificate - trusted root certificate to validate the server
    • Notification - specify if the user should get a notification asking whether to trust the server or not
Protected Extensible Authentication Protocol (PEAP)
  • Server validation - with PEAP, server validation can be toggled on or off
    • Server name - specify the server to validate
    • Server certificate - trusted root certificate to validate the server
    • Notification - specify if the user should get a notification asking whether to trust the server or not
  • Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication
    • EAP-MSCHAPv2
    • EAP-TLS
  • Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
  • Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
Tunneled Transport Layer Security (TTLS)
  • Inner method
    • Non-EAP
      • Password Authentication Protocol (PAP)
      • CHAP
      • MSCHAP
      • MSCHAPv2
    • EAP
      • MSCHAPv2
      • TLS
  • Server validation: in TTLS, the server must be validated. The following can be configured:
    • Server name
    • Trusted root certificate for server certificate
    • Whether there should be a server validation notification
@@ -62,4 +62,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) - [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 44b05da541..128afcfee9 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -1,13 +1,13 @@ --- -title: VPN auto-triggered profile options (Windows 10) -description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource. +title: VPN auto-triggered profile options (Windows 10 and Windows 11) +description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,9 +17,9 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: +In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: - App trigger - Name-based trigger @@ -31,7 +31,7 @@ In Windows 10, a number of features were added to auto-trigger VPN so users won ## App trigger -VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. +VPN profiles in Windows 10 or Windows 11 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name. @@ -54,7 +54,7 @@ There are four types of name-based triggers: ## Always On -Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers: +Always On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect automatically on the following triggers: - User sign-in - Network change diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 66baa88e46..068d41d1a5 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -1,5 +1,5 @@ --- -title: VPN and conditional access (Windows 10) +title: VPN and conditional access (Windows 10 and Windows 11) description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps. ms.prod: w10 ms.mktglfcycl: deploy @@ -10,12 +10,12 @@ ms.author: dansimp manager: dansimp ms.reviewer: ms.localizationpriority: medium -ms.date: 03/21/2019 +ms.date: 09/23/2021 --- # VPN and conditional access ->Applies to: Windows 10 and Windows 10 Mobile +>Applies to: Windows 10 and Windows 11 The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application. @@ -91,7 +91,7 @@ The VPN client side connection flow works as follows: When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: -1. The VPN client calls into Windows 10’s Azure AD Token Broker, identifying itself as a VPN client. +1. The VPN client calls into Windows 10’s or Windows 11’s Azure AD Token Broker, identifying itself as a VPN client. 2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. The Azure AD Server checks if the device is in compliance with the policies. @@ -110,6 +110,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview) - [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa) - [Control the health of Windows 10-based devices](../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) +- Control the health of Windows 11-based devices - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3) diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 465f79924f..90b1a56b41 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -1,5 +1,5 @@ --- -title: VPN connection types (Windows 10) +title: VPN connection types (Windows 10 and Windows 11) description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 11/13/2020 +ms.date: 08/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,11 +17,11 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network. -There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. +There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. ![VPN connection types.](images/vpn-connection.png) @@ -56,7 +56,7 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and ## Universal Windows Platform VPN plug-in -The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers. +The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers. There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution. diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index 51eda0028d..3f23cadc79 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -1,25 +1,26 @@ --- -title: Windows 10 VPN technical guide (Windows 10) -description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. +title: Windows VPN technical guide (Windows 10 and Windows 11) +description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: dansimp ms.localizationpriority: medium -ms.date: 11/13/2020 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp --- -# Windows 10 VPN technical guide +# Windows VPN technical guide **Applies to** - Windows 10 +- Windows 11 -This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. +This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11. To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10). @@ -42,4 +43,4 @@ To create a Windows 10 VPN device configuration profile see: [Windows 10 and Win ## Learn more -- [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure) \ No newline at end of file +- [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure) diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index 70cec8d554..a61584597c 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -1,5 +1,5 @@ --- -title: VPN name resolution (Windows 10) +title: VPN name resolution (Windows 10 and Windows 11) description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server. diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 5c4221a574..562a872615 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -1,5 +1,5 @@ --- -title: Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client description: tbd ms.prod: w10 ms.mktglfcycl: deploy @@ -9,20 +9,20 @@ audience: ITPro ms.topic: article author: kelleyvice-msft ms.localizationpriority: medium -ms.date: 04/07/2020 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: jajo --- -# Optimizing Office 365 traffic for remote workers with the native Windows 10 VPN client +# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client -This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. +This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. -This can be achieved for the native/built-in Windows 10 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. +This can be achieved for the native/built-in Windows 10 and Windows 11 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users. > [!NOTE] -> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration). +> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 and Windows 11 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration). ## Solution Overview @@ -30,7 +30,7 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](./vpn-profile-options.md#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunneling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: +To enable the use of force tunneling in Windows 10 or Windows 11 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel @@ -90,13 +90,13 @@ An example of a PowerShell script that can be used to update a force tunnel VPN <# .SYNOPSIS - Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 VPN profile + Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 and Windows 11 VPN profile .DESCRIPTION Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file) Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name .PARAMETERS - Filename and path for a supplied Windows 10 VPN profile file in either PowerShell or XML format + Filename and path for a supplied Windows 10 or Windows 11 VPN profile file in either PowerShell or XML format .NOTES Requires at least Windows 10 Version 1803 with KB4493437, 1809 with KB4490481, or later .VERSION @@ -430,6 +430,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") This solution is supported with the following versions of Windows: +- Windows 11 - Windows 10 1903/1909 and newer: Included, no action needed - Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481) - Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437) diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 96eae8c6ac..8e683158b9 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -1,6 +1,6 @@ --- -title: VPN profile options (Windows 10) -description: Windows 10 adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. +title: VPN profile options (Windows 10 and Windows 11) +description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523 ms.reviewer: manager: dansimp @@ -18,9 +18,9 @@ ms.date: 05/17/2018 **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 -Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). +Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). >[!NOTE] >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first. @@ -56,7 +56,7 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. -``` +```xml TestVpnProfile @@ -222,7 +222,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. -``` +```xml TestVpnProfile @@ -294,26 +294,38 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr Helloworld.Com - ``` ## Apply ProfileXML using Intune -After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy. +After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 or Windows 11 Desktop and Mobile and later)** policy. 1. Sign into the [Azure portal](https://portal.azure.com). + 2. Go to **Intune** > **Device Configuration** > **Profiles**. + 3. Click **Create Profile**. + 4. Enter a name and (optionally) a description. + 5. Choose **Windows 10 and later** as the platform. + 6. Choose **Custom** as the profile type and click **Add**. + 8. Enter a name and (optionally) a description. + 9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**. + 10. Set Data type to **String (XML file)**. + 11. Upload the profile XML file. + 12. Click **OK**. + ![Custom VPN profile.](images/custom-vpn-profile.png) + 13. Click **OK**, then **Create**. + 14. Assign the profile. @@ -332,4 +344,4 @@ After you configure the settings that you want using ProfileXML, you can apply i - [VPN and conditional access](vpn-conditional-access.md) - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) \ No newline at end of file +- [VPN security features](vpn-security-features.md) diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index ea0cb1c3ae..5c2b3d00e1 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -1,5 +1,5 @@ --- -title: VPN routing decisions (Windows 10) +title: VPN routing decisions (Windows 10 and Windows 10) description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index c84ab32cb0..88d9c1dfba 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -1,5 +1,5 @@ --- -title: VPN security features (Windows 10) +title: VPN security features (Windows 10 and Windows 11) description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/03/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,14 +17,14 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 ## Windows Information Protection (WIP) integration with VPN Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. -The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: +The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 or Windows 11 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: - Core functionality: File encryption and file access blocking - UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index b3a9837cd5..8a77aee208 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Filtering Platform Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following: diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index 37a86a6424..904bc669cb 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Group Membership -**Applies to** -- Windows 10 -- Windows Server 2016 By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer. diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index e82188ac78..1003455f12 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Handle Manipulation -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index 606acf77a3..108d9f2155 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Driver -**Applies to** -- Windows 10 -- Windows Server 2016 Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following: diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 179c4e5e22..502f29b57d 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Extended Mode -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index 092717cc70..c3f71a182d 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Main Mode -**Applies to** -- Windows 10 -- Windows Server 2016 Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index fefab72132..0424935c98 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 10/02/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit IPsec Quick Mode -**Applies to** -- Windows 10 -- Windows Server 2016 Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index 14495b2794..ac184cba5f 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Kerberos Authentication Service -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index 3bbaa165ef..788a0eccd6 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Kerberos Service Ticket Operations -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests. diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index f93ad96e33..f0329f57a4 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Kernel Object -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index a07a10fd9a..eadeed6ed8 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 07/16/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Logoff -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated. diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index e87dd6ad1d..b6b71c23f6 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Logon -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer. diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index 5107277a3d..ff61afa77f 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit MPSSVC Rule-Level Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index d6ac9d53e5..016e6d53d7 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Network Policy Server -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index 8cf59016dd..7ef4be2fc3 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Non-Sensitive Privilege Use -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 39fa1e83de..774bedd202 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -1,6 +1,6 @@ --- title: Audit Other Account Logon Events (Windows 10) -description: The policy setting, Audit Other Account Logon Events, allows you to audit events generated by responses to credential requests for certain kinds of user logons. +description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 ms.reviewer: manager: dansimp @@ -11,24 +11,19 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Account Logon Events -**Applies to** -- Windows 10 -- Windows Server 2016 - - **General Subcategory Information:** This auditing subcategory does not contain any events. It is intended for future use. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | -| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | -| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | +| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | +| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | +| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index bb5d7120a3..bab6689283 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Account Management Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Account Management Events determines whether the operating system generates user account management audit events. diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index c123e22ef8..032d65589e 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Logon/Logoff Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index a485aa2d07..1a82bd54e1 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Object Access Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests. diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index 5f55e34285..61ed449132 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Policy Change Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 7e8dea77c3..ed0e6fde50 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other Privilege Use Events -**Applies to** -- Windows 10 -- Windows Server 2016 This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985). diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index 7554066d42..8762fb22fc 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -11,17 +11,13 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Other System Events -**Applies to** -- Windows 10 -- Windows Server 2016 - - + Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures. Audit Other System Events determines whether the operating system audits various system events. diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index 16b696e3a2..23779f6a95 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit PNP Activity -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit PNP Activity determines when Plug and Play detects an external device. diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 456c7082b1..1e0c857ede 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Process Creation -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Process Creation determines whether the operating system generates audit events when a process is created (starts). diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index 97b0a91741..7206647a67 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Process Termination -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Process Termination determines whether the operating system generates audit events when process has exited. diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 70a672e969..b942488455 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Registry -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index b0ec0466fe..9a0d27b1c2 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Removable Storage -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](/windows/win32/secauthz/access-control-lists). diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index 59202d82fa..6be5c9a222 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit RPC Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index 022b451082..020c87b6c0 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit SAM -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects. diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index c80fe834a9..045ce6d2cd 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 02/28/2019 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Security Group Management -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed. diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index 19614087bb..81d52226a4 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Security State Change -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time. diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index b787507ef4..06a62bc211 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Security System Extension -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events. @@ -36,9 +32,9 @@ Attempts to install or load security system extensions or services are critical | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index fe6ad3206b..d2929dbc8b 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Sensitive Privilege Use -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges: diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index c852e45990..a2c7e6fe4c 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Special Logon -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances. diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index f9be77c1eb..d88432587a 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit System Integrity -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md index c53c887d1f..51362e65a8 100644 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md @@ -11,10 +11,6 @@ ms.technology: mde # Audit Token Right Adjusted -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token. diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index 145e04e477..97b551d31a 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit User Account Management -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed. diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index 6051e50d2f..f5b3b71fa8 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit User/Device Claims -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index 7e9d098f5d..9e83b22f8e 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit account logon events -**Applies to** -- Windows 10 Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 5541fc0f63..e438366e30 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit account management -**Applies to** -- Windows 10 Determines whether to audit each event of account management on a device. diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index e52e2e7382..fb18731a64 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit directory service access -**Applies to** -- Windows 10 Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index c730790cfa..569a8335dd 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit logon events -**Applies to** -- Windows 10 Determines whether to audit each instance of a user logging on to or logging off from a device. diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index 7bb1357af3..3cc432b64b 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit object access -**Applies to** -- Windows 10 Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified. diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index a04167e8c2..3e7cc6a8ea 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit policy change -**Applies to** -- Windows 10 Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index 4b6a28a415..ff6e5dff98 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit privilege use -**Applies to** -- Windows 10 Determines whether to audit each instance of a user exercising a user right. diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index c2e1ff94ca..a7f08b9c20 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit process tracking -**Applies to** -- Windows 10 Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index 8c5e33028e..4201c2447f 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit system events -**Applies to** -- Windows 10 Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index fd291c792a..012b98550f 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Basic security audit policies -**Applies to** -- Windows 10 Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index 0ddb0a6152..0b56e07522 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Basic security audit policy settings -**Applies to** -- Windows 10 Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 526946d4b5..054ff9b595 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- # Create a basic audit policy for an event category -**Applies to** -- Windows 10 By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index f3fbd46308..c8ac91b393 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1100(S): The event logging service has shut down. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1100 illustration diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index fecf1badde..02ac9384e5 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1102(S): The audit log was cleared. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1102 illustration diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index 8d6a8dfd16..0c5e2917af 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1104(S): The security log is now full. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1104 illustration diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index ca327249e4..1aeaa58c8e 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1105(S): Event log automatic backup -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1105 illustration diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 440e411f38..1a7f0cbd1e 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 1108(S): The event logging service encountered an error while processing an incoming event published from %1. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 1108 illustration diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 6372e6acc2..255036037d 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4608(S): Windows is starting up. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4608 illustration diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index aba324fd61..2249612819 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4610(S): An authentication package has been loaded by the Local Security Authority. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4610 illustration diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 50583e6f70..b4ce0a9d8d 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4611(S): A trusted logon process has been registered with the Local Security Authority. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4611 illustration diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index c4561550d5..aa8b9ecc61 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk. diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index ca4c161420..959ef959e9 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4614(S): A notification package has been loaded by the Security Account Manager. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4614 illustration diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 6c8f9cd7ac..82dbd7d648 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4615(S): Invalid use of LPC port. -**Applies to** -- Windows 10 -- Windows Server 2016 - It appears that this event never occurs. diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 690bde945f..2fc4b43b2c 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4616(S): The system time was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4616 illustration diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index c1bc41f942..baa0727774 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4618(S): A monitored security event pattern has occurred. -**Applies to** -- Windows 10 -- Windows Server 2016 - ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index 9ffb0fee15..d3475dbb08 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,9 +16,6 @@ ms.technology: mde # 4621(S): Administrator recovered system from CrashOnAuditFail. -**Applies to** -- Windows 10 -- Windows Server 2016 This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2. diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index 46f54afcca..5404c4491b 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4622(S): A security package has been loaded by the Local Security Authority. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4622 illustration @@ -101,4 +97,4 @@ These are some Security Package DLLs loaded by default in Windows 10: For 4622(S): A security package has been loaded by the Local Security Authority. -- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not. \ No newline at end of file +- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index a61449dada..6a36fda6d7 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4624(S): An account was successfully logged on. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4624 illustration diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index d613787ba3..ec92960ecc 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4625(F): An account failed to log on. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4625 illustration diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index 667de4c561..1aba2f1f3b 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4626(S): User/Device claims information. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4626 illustration diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index 4a4fce1919..8ad79efcb2 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4627(S): Group membership information. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4627 illustration diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index b0541e2dbb..16bf3e049d 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 11/20/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4634(S): An account was logged off. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4634 illustration diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index 14dc2a7083..01428dba45 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4647(S): User initiated logoff. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4647 illustration diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 44eb565de4..8d81d41573 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4648(S): A logon was attempted using explicit credentials. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4648 illustration diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index 06ae9ca1aa..75f1bf3c96 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4649(S): A replay attack was detected. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client. diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index 7332ad06b8..7aee847e93 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4656(S, F): A handle to an object was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4656 illustration diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index e0d0985203..39cb4e6052 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4657(S): A registry value was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4657 illustration diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index 85b56fb6d0..0acb8a0b2f 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4658(S): The handle to an object was closed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4658 illustration diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 7a921090fd..871435d568 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4660(S): An object was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4660 illustration diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index 27afd56d00..77da9a1780 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4661(S, F): A handle to an object was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4661 illustration diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index b9d488c090..7950f49912 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4662(S, F): An operation was performed on an object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4662 illustration diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index efa297ac08..d85a14bddf 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4663(S): An attempt was made to access an object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4663 illustration diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 9c99e5f2bc..36c3d8aa08 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4664(S): An attempt was made to create a hard link. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4664 illustration diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index ea7d4dcf1e..0f070cd8f8 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4670(S): Permissions on an object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4670 illustration diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index fb46f1fb5a..cc53508b8f 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,11 +16,7 @@ ms.technology: mde # 4671(-): An application attempted to access a blocked ordinal through the TBS. -**Applies to** -- Windows 10 -- Windows Server 2016 - - +* Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. ***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md) diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 479e31207b..3e563025ba 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 12/20/2018 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4672(S): Special privileges assigned to new logon. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4672 illustration
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index cf5ef8d500..82e7ac1332 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4673(S, F): A privileged service was called. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4673 illustration diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index 734ce174c2..7a4b1a3654 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4674(S, F): An operation was attempted on a privileged object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4674 illustration diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index 0af7742f2c..f2a5d0c97e 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4675(S): SIDs were filtered. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when SIDs were filtered for specific Active Directory trust. diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index fbb93d7b9b..12b9206a7f 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4688(S): A new process has been created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4688 illustration diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index 99bee451d9..49ec3f5924 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4689(S): A process has exited. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4689 illustration diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index d7a23d1da4..14d2dcb02d 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4690(S): An attempt was made to duplicate a handle to an object. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4690 illustration diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index c7ea74bdd7..30a869d7fc 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4691(S): Indirect access to an object was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4691 illustration diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index 064c922cb4..7e1e0b5ab9 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4692(S, F): Backup of data protection master key was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4692 illustration diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index 1359ef1968..1bf4eef838 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4693(S, F): Recovery of data protection master key was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4693 illustration diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index 0b35bda1ba..c6e3ca0a8c 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4694(S, F): Protection of auditable protected data was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10))  [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 9acd287be1..55d37910f6 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4695(S, F): Unprotection of auditable protected data was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index f156dc723b..c426f2bd9e 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4696(S): A primary token was assigned to process. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4696 illustration diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index 870352146b..4c6103a175 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4697(S): A service was installed in the system. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4697 illustration diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index 9ca662fa59..e3f0385c69 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4698(S): A scheduled task was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4698 illustration diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index dd814dd942..b48820c643 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4699(S): A scheduled task was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4699 illustration diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index e72f7d19f0..6c44dbfa8d 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4700(S): A scheduled task was enabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4700 illustration diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index e407e2bbbb..0fa78f8923 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4701(S): A scheduled task was disabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4701 illustration diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index 15d128ceef..2ae3e2b5e3 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4702(S): A scheduled task was updated. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4702 illustration diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index e8b7ecded9..a2d0ea1520 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4703(S): A user right was adjusted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4703 illustration diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index cb6b95669b..04357bb664 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4704(S): A user right was assigned. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4704 illustration diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 5588e33560..0da39782ac 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4705(S): A user right was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4705 illustration diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index e0abbded89..5bceee43f2 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4706(S): A new trust was created to a domain. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4706 illustration diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index f16f66bdcd..66c5a3a235 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4707(S): A trust to a domain was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4707 illustration diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index 032446b19b..1fc0eda8ae 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4713(S): Kerberos policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4713 illustration diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index d7c176a754..c95647f342 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4714(S): Encrypted data recovery policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4714 illustration diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index d4e9d14839..54836c643a 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4715(S): The audit policy (SACL) on an object was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4715 illustration diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 1cd47c82c4..3b035321b0 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/04/2019 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4716(S): Trusted domain information was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4716 illustration diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index bd3378f122..0d79674053 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4717(S): System security access was granted to an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4717 illustration diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 4c8c676ce4..22f9f3a64a 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4718(S): System security access was removed from an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4718 illustration diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index 98469b6945..dc67d391cf 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4719(S): System audit policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4719 illustration diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 1569aebb53..1500cd23c9 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4720(S): A user account was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4720 illustration diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index e156a9bedf..6b10efb7c8 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4722(S): A user account was enabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4722 illustration diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index 8a2eb1aa9b..2208f2ae0e 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4723(S, F): An attempt was made to change an account's password. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4723 illustration diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index f360a13828..104704dc32 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4724(S, F): An attempt was made to reset an account's password. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4724 illustration diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index 5be795b261..0b6ed0593a 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4725(S): A user account was disabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4725 illustration diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index f8f7ffba8c..03f7cab6c8 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4726(S): A user account was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4726 illustration diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index 78d8e0e0c8..ecbe498b31 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4731(S): A security-enabled local group was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4731 illustration diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 2619367fa3..b837e2da3a 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4732(S): A member was added to a security-enabled local group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4732 illustration diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index 219ebdc036..1ff01f46dd 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4733(S): A member was removed from a security-enabled local group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4733 illustration diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index df33b3726f..7fc762a800 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4734(S): A security-enabled local group was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4734 illustration diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index 14d1e6df28..ebd05f8b62 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4735(S): A security-enabled local group was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4735 illustration diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index f62d7e4ba8..1beea8a564 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4738(S): A user account was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4738 illustration diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index e3268f4c69..d8417cef87 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4739(S): Domain Policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4739 illustration diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index db7139e935..095b90641e 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4740(S): A user account was locked out. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4740 illustration diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index 6c83f23d1e..c09ba86137 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4741(S): A computer account was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4741 illustration diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 5d0cda5110..b838e77a00 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4742(S): A computer account was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4742 illustration diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index 3402a5e1d7..064855d936 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4743(S): A computer account was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4743 illustration diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index 478ae9e021..e1990c4f1e 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4749(S): A security-disabled global group was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4749 illustration diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index 1a8a03f92a..9ebd361c00 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4750(S): A security-disabled global group was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4750 illustration diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index cc06f2ae5d..c187c0da6a 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4751(S): A member was added to a security-disabled global group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4751 illustration diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index ef79c01bca..642eb6b948 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4752(S): A member was removed from a security-disabled global group. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4752 illustration diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index 45b9de0d33..cf4ada677c 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4753(S): A security-disabled global group was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4753 illustration diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 3b50ba9bf1..073049f2bf 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,9 +16,6 @@ ms.technology: mde # 4764(S): A group’s type was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 Event 4764 illustration diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index ff685d9081..472f9a92d0 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4765(S): SID History was added to an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when [SID History](/windows/win32/adschema/a-sidhistory) was added to an account. diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index 7593423b22..bf5820689e 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4766(F): An attempt to add SID History to an account failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when an attempt to add [SID History](/windows/win32/adschema/a-sidhistory) to an account failed. diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index cf7b13e4f0..4b580f7dc0 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4767(S): A user account was unlocked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4767 illustration diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 64156ecd85..9509c1486b 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4768(S, F): A Kerberos authentication ticket (TGT) was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - :::image type="content" alt-text="Event 4768 illustration." source="images/event-4768.png"::: diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 5c460724b8..1790274e2c 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4769(S, F): A Kerberos service ticket was requested. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4769 illustration diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index ac38dc82f9..6a1627d7df 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4770(S): A Kerberos service ticket was renewed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4770 illustration diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index c5aea23ecb..9891a617a0 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 07/23/2020 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4771(F): Kerberos pre-authentication failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4771 illustration diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 2124b16bb1..c93994b2ed 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4772(F): A Kerberos authentication ticket request failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead. diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index ba672478d8..3d4e1fe09b 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4773(F): A Kerberos service ticket request failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead. diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index 08eb0fe72f..4c01962461 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,9 +16,6 @@ ms.technology: mde # 4774(S, F): An account was mapped for logon. -**Applies to** -- Windows 10 -- Windows Server 2016 Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx). diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index cf27ccdf2a..c9e4a319e8 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4775(F): An account could not be mapped for logon. -**Applies to** -- Windows 10 -- Windows Server 2016 - It appears that this event never occurs. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 8b9727aaa0..4fde7cba9b 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -16,10 +16,6 @@ ms.technology: mde # 4776(S, F): The computer attempted to validate the credentials for an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4776 illustration diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index 28a4b42d08..f5b01ce6aa 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4777(F): The domain controller failed to validate the credentials for an account. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead. diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 8293e41487..f7278c0017 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4778(S): A session was reconnected to a Window Station. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4778 illustration diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 29836498cc..3f34f106e4 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4779(S): A session was disconnected from a Window Station. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4779 illustration diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index 00faedae10..94b8733eab 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4780(S): The ACL was set on accounts which are members of administrators groups. -**Applies to** -- Windows 10 -- Windows Server 2016 - Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index 2adb3bcac5..0e7051d0c0 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4781(S): The name of an account was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4781 illustration diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index e0ecc19336..0d7d285e29 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4782(S): The password hash of an account was accessed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4782 illustration diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index 4b75a802d5..d471201647 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4793(S): The Password Policy Checking API was called. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4793 illustration diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index 6e585048c1..6901d09cbe 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4794 illustration diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index 3fddfd9b65..15a1328384 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4798(S): A user's local group membership was enumerated. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4798 illustration diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index 18b337fcdc..92441ae64b 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4799(S): A security-enabled local group membership was enumerated. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4799 illustration diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index 92c543f8b0..2e468c9d92 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4800(S): The workstation was locked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4800 illustration diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index ed7c8ec85c..7da15cbbe7 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4801(S): The workstation was unlocked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4801 illustration diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index 9f5fa2b8e3..7ea6add001 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4802(S): The screen saver was invoked. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4802 illustration diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index 20304e4527..4971789fd3 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4803(S): The screen saver was dismissed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4803 illustration diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index 9e36c52bb1..a2c127435d 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4816(S): RPC detected an integrity violation while decrypting an incoming message. -**Applies to** -- Windows 10 -- Windows Server 2016 - This message generates if RPC detected an integrity violation while decrypting an incoming message. diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index 0b0fc16bf7..3744b68704 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4817(S): Auditing settings on object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4817 illustration diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 05266e39e5..c71a145e05 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4818 illustration diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index 3751b39e45..f3acc685b2 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4819(S): Central Access Policies on the machine have been changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4819 illustration diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 2e78b4c653..27f8cbeb41 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4826(S): Boot Configuration Data loaded. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4826 illustration diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index ca1995291e..aec977eddd 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4864(S): A namespace collision was detected. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is generated when a namespace collision was detected. diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 063eb88afc..994d2407a3 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4865(S): A trusted forest information entry was added. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4865 illustration diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index 922d662887..ad75bb1d68 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4866(S): A trusted forest information entry was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4866 illustration diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index a8fdb4a693..e82918ba71 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4867(S): A trusted forest information entry was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4867 illustration diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index d5a7640b84..67d2817434 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4902(S): The Per-user audit policy table was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4902 illustration diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index 268606eab6..0a72ca6e45 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4904(S): An attempt was made to register a security event source. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4904 illustration diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index 65338f9f64..2bc2194af3 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4905(S): An attempt was made to unregister a security event source. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4905 illustration diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 49269c1eb3..5f8556c594 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4906(S): The CrashOnAuditFail value has changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4906 illustration diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index e8f78c11b1..54960760dd 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4907(S): Auditing settings on object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4907 illustration diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index 3a12a949e0..4b00b7dc48 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4908(S): Special Groups Logon table modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4908 illustration diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index 9c3b067418..77f5ddd123 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4909(-): The local policy settings for the TBS were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index 948c3a6dab..0c3e27cbcd 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4910(-): The group policy settings for the TBS were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index cf47c889e0..34506e27c7 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4911(S): Resource attributes of the object were changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4911 illustration diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index e4bc6d9d43..cd13c3c6ed 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4912(S): Per User Audit Policy was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4912 illustration diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 51ff7291cb..88f5b9912c 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4913(S): Central Access Policy on the object was changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4913 illustration diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 166bc42cf3..c771de77c7 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4928(S, F): An Active Directory replica source naming context was established. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4928 illustration diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index ab04f9ab17..8befaf8042 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4929(S, F): An Active Directory replica source naming context was removed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4929 illustration diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index 3897b1bd01..9b7133cbec 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4930(S, F): An Active Directory replica source naming context was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4930 illustration diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index dfb00ceb91..9be2c0b308 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4931(S, F): An Active Directory replica destination naming context was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4931 illustration diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 13f42ce386..2fe1488145 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4932(S): Synchronization of a replica of an Active Directory naming context has begun. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4932 illustration diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index b4f0784a45..763c17876e 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4933 illustration diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index ffc4b9b4a3..edfe9bb645 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4934(S): Attributes of an Active Directory object were replicated. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when attributes of an Active Directory object were replicated. diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index f2910784e6..6473cffbe6 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4935(F): Replication failure begins. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4935 illustration diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index 3f808bf11d..e87cf4d53e 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4936(S): Replication failure ends. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when Active Directory replication failure ends. diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index 2775be1c5d..6c1f85f0a7 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4937(S): A lingering object was removed from a replica. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when a [lingering object](https://support.microsoft.com/kb/910205) was removed from a replica. diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index 3821d18e1b..046a35e163 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4944(S): The following policy was active when the Windows Firewall started. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4944 illustration diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index da8105bffc..c76d313b14 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4945(S): A rule was listed when the Windows Firewall started. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4945 illustration diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 30ae25fd28..4279a425ff 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4946(S): A change has been made to Windows Firewall exception list. A rule was added. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4946 illustration diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index b38eef6371..48613fd427 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4947(S): A change has been made to Windows Firewall exception list. A rule was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4947 illustration diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 5f92a37c6a..6d0290f772 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4948 illustration diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index e304844bc8..50b400ce2d 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4949(S): Windows Firewall settings were restored to the default values. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4949 illustration diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index 54ead99c65..90fdd4b72d 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4950(S): A Windows Firewall setting has changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4950 illustration diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index 4a2c32b9e2..65357fc8cf 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4951 illustration diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index 150a0ac97d..abd1012a90 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. -**Applies to** -- Windows 10 -- Windows Server 2016 - When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions. diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 38d9aa6a3d..d35205d2e8 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4953(F): Windows Firewall ignored a rule because it could not be parsed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4953 illustration diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index 99bb6457e2..f671cef1ef 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4954 illustration diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index 34d36fa5d0..c56a466f9f 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4956(S): Windows Firewall has changed the active profile. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4956 illustration diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 8b822ee84c..a34de9e92f 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4957(F): Windows Firewall did not apply the following rule. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4957 illustration diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 05922fd7a7..7bb37f579a 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied. diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 0ee97ac194..b83f63788a 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4964(S): Special groups have been assigned to a new logon. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4964 illustration diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index c57db1916e..ee97d237fc 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 4985(S): The state of a transaction has changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 4985 illustration diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index b24cd95e31..6f42905b26 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5024(S): The Windows Firewall Service has started successfully. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5024 illustration diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index a9a3c5e14b..51c4600f15 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5025(S): The Windows Firewall Service has been stopped. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5025 illustration diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 4ea2177c6b..85afaa1f92 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5027 illustration diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index 9ab51ca985..8835c0a855 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5028 illustration diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index 46d9b7b3e7..6e8bfab573 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs an error if either the Windows Firewall service or its driver fails to start, or if they unexpectedly terminate. The error message indicates the cause of the service failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index de68bc30db..175e125235 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5030(F): The Windows Firewall Service failed to start. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index df9881e050..8a10a69008 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -10,17 +10,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp +ms.date: 09/08/2021 ms.technology: mde --- # 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. -**Applies to** -- Windows 10 -- Windows Server 2016 -- Windows Server 2012 R2 -- Windows Server 2012 - Event 5031 illustration diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index a356c6ba72..235d9fd8d3 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future. diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index 05552da629..e664ac846b 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5033(S): The Windows Firewall Driver has started successfully. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5033 illustration diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index 7cef4c54e0..e447aeb0e7 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5034(S): The Windows Firewall Driver was stopped. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5034 illustration diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index 6b9d8a9488..0bc400131b 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5035(F): The Windows Firewall Driver failed to start. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index a189ce3f21..c36c375902 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating. -**Applies to** -- Windows 10 -- Windows Server 2016 - Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message. diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 2dc28bef2e..996a74d7b5 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. -**Applies to** -- Windows 10 -- Windows Server 2016 - The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index fda19e5f16..09baf51880 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5039(-): A registry key was virtualized. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 3ac07671d2..e9e1bea6c6 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5051(-): A file was virtualized. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index a717d05e4a..96af867108 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5056(S): A cryptographic self-test was performed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index c83ca8bd2e..5d686b4510 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5057(F): A cryptographic primitive operation failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in case of CNG primitive operation failure. diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index b351ee93e6..319ffe99f0 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5058(S, F): Key file operation. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5058 illustration diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index 5881e672d5..ff33eba467 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5059(S, F): Key migration operation. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5059 illustration diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index 11b9903d5d..23fa5c78d9 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5060(F): Verification operation failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates when the Cryptographic Next Generation (CNG) verification operation fails. diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index 7612017713..919d66a79c 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5061(S, F): Cryptographic operation. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5061 illustration diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index e397844d41..242721afc4 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5062(S): A kernel-mode cryptographic self-test was performed. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event occurs rarely, and in some situations may be difficult to reproduce. diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index e06e3118a6..020b7ebc4c 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5063(S, F): A cryptographic provider operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 077fadf9f7..2532a3b70b 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5064(S, F): A cryptographic context operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 3a64e39e7f..0bbc9ae5c7 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5065(S, F): A cryptographic context modification was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 52fca7414b..eebc61873d 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5066(S, F): A cryptographic function operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 245b241e69..a3ca03be65 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5067(S, F): A cryptographic function modification was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 1cb02be991..645868eeca 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5068(S, F): A cryptographic function provider operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions. diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index 742188905d..50d95a9aff 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5069(S, F): A cryptographic function property operation was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index 9893a7116b..e279ab685d 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5070(S, F): A cryptographic function property modification was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index 1b62c11bab..d83424aac5 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5136(S): A directory service object was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5136 illustration diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index 0146958e61..65f8370ad0 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5137(S): A directory service object was created. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5137 illustration diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 2553251b75..4fa35c7f07 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5138(S): A directory service object was undeleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5138 illustration diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index c7f306eab0..43eacd93d9 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5139(S): A directory service object was moved. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5139 illustration diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index 199e5a4cd7..eb389fe767 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5140(S, F): A network share object was accessed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5140 illustration diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index 7d85f444d4..8da8b7d590 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5141(S): A directory service object was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5141 illustration diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index d29c26ddc4..b72ef6d776 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5142(S): A network share object was added. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5142 illustration diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index bc8f827e03..d173059b23 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5143(S): A network share object was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5143 illustration diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 886dc70759..937bc39ce4 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5144(S): A network share object was deleted. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5144 illustration diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 933ab84191..1bf796cf9f 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5145(S, F): A network share object was checked to see whether client can be granted desired access. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5145 illustration diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 23a31eb1a6..1946129b9b 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. -**Applies to** -- Windows 10 -- Windows Server 2016 - In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected. diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 04f6c8747a..467c7145cc 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5149(F): The DoS attack has subsided and normal processing is being resumed. -**Applies to** -- Windows 10 -- Windows Server 2016 - In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended. diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 7e8b6a5cc1..9d9c830f21 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5150(-): The Windows Filtering Platform blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 611541553e..6601b86883 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index cb8da40be3..d4bcbf8042 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5152(F): The Windows Filtering Platform blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5152 illustration diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index ce3f53f60d..eee4621b4d 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index ea9c8ea638..6d0b939b64 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5154 illustration diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index d00134db41..166520ef13 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. -**Applies to** -- Windows 10 -- Windows Server 2016 - By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index b7aa9709b2..d0af703c34 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5156(S): The Windows Filtering Platform has permitted a connection. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5156 illustration diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index 73d84e9d53..c20c64f670 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5157(F): The Windows Filtering Platform has blocked a connection. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5157 illustration diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index d863b08c36..f35938a490 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5158(S): The Windows Filtering Platform has permitted a bind to a local port. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5158 illustration diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index fb896131ac..95ac21b41a 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5159(F): The Windows Filtering Platform has blocked a bind to a local port. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5159 illustration diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index bb9371baff..5d1e8bf0d8 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5168(F): SPN check for SMB/SMB2 failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5168 illustration diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index 3cbb58cf29..1b77d59d7e 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5376(S): Credential Manager credentials were backed up. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5376 illustration diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index 3be670da7b..82af29b1d7 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5377(S): Credential Manager credentials were restored from a backup. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5377 illustration diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index 0025f40837..7880067fb3 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5378(F): The requested credentials delegation was disallowed by policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5378 illustration diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index 2b5c265e83..c7e89a3513 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5447(S): A Windows Filtering Platform filter has been changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5447 illustration diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index ad0e108238..fd3345a565 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5632(S, F): A request was made to authenticate to a wireless network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5632 illustration diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index ba78854b75..d72afb75da 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5633(S, F): A request was made to authenticate to a wired network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5633 illustration diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index 5bb81e6f09..48363c3beb 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5712(S): A Remote Procedure Call (RPC) was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - It appears that this event never occurs. diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 8d2ea38fcb..4a22ab0013 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5888(S): An object in the COM+ Catalog was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5888 illustration diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index e3d65ee453..d0d9842512 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5889(S): An object was deleted from the COM+ Catalog. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5889 illustration diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index 9b7a9f515c..f7bf90b524 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5890(S): An object was added to the COM+ Catalog. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5890 illustration diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 7565e8f794..0ed126dc60 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6144(S): Security policy in the group policy objects has been applied successfully. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6144 illustration diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index b70a0844a2..ff67ad627d 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6145(F): One or more errors occurred while processing security policy in the group policy objects. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6145 illustration diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index e6ec5bea59..28b9c2e509 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. -**Applies to** -- Windows 10 -- Windows Server 2016 - The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index 511aeb3ae9..214d0c5b93 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 829c3215c9..7ae7c5a3ab 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6401(-): BranchCache: Received invalid data from a peer. Data discarded. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 2aee0f9232..ca0ea21dbe 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index ec9028c852..dfa11c62ac 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index eaa912b6e3..fb4bccd26f 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index fc188cce3b..557c8ebabe 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6405(-): BranchCache: %2 instance(s) of event id %1 occurred. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index 689085b2fd..dbaeb0e873 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index 3273efaba1..28612dacba 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6407(-): 1%. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index 7b29a0468c..c36f520a60 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index 6855ea810d..1ac08c75f1 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6409(-): BranchCache: A service connection point object could not be parsed. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index a306a98882..a9f5e5111f 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process. -**Applies to** -- Windows 10 -- Windows Server 2016 - [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 4b85673aa7..337a5395be 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6416(S): A new external device was recognized by the System. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6416 illustration diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index 90c145ff77..69a6f30def 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6419(S): A request was made to disable a device. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6419 illustration diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 51570d3ab3..3a2dc5c9d9 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6420(S): A device was disabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6420 illustration diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index ef4e0b856f..8ac5372312 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6421(S): A request was made to enable a device. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6421 illustration diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 2b2f45d1b8..7e577f25c3 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6422(S): A device was enabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6422 illustration diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index 3332a01011..5f8278b20e 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6423(S): The installation of this device is forbidden by system policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6423 illustration diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index 8ca1ce36d6..ba3fcbffe7 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6424(S): The installation of this device was allowed, after having previously been forbidden by policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event occurs rarely, and in some situations may be difficult to reproduce. diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index 1093140e38..9c7941df2b 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # File System (Global Object Access Auditing) -**Applies to** -- Windows 10 This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer. diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 1efc819647..cc3bf79488 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 10/22/2018 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,8 +16,6 @@ ms.technology: mde # How to get a list of XML data name elements in EventData -**Applies to** -- Windows 10 The Security log uses a manifest where you can get all of the event schema. diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index 3c07a1dae0..c446bdec67 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor central access policy and rule definitions -**Applies to** -- Windows 10 This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index baf7d9e8a7..b9e1ea714f 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor claim types -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index ed4d03037f..791549bb4f 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor resource attribute definitions -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object. diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index f034f7c0fc..ece759aeb6 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the central access policies associated with files and folders -**Applies to** -- Windows 10 This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 12dedf0d60..2d50a5c7db 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the central access policies that apply on a file server -**Applies to** -- Windows 10 This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management. diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index f1676a1640..f223b3433d 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the resource attributes on files and folders -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 04ac1c7929..af897bbd62 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the use of removable storage devices -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index edaf8e590f..7f950dd7b1 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor user and device claims during sign-in -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md index e74cf80553..a54f6a6f1c 100644 --- a/windows/security/threat-protection/auditing/other-events.md +++ b/windows/security/threat-protection/auditing/other-events.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # Other Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Events in this section generate automatically and are enabled by default. diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 068c8792d4..d47efbedbf 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Plan and deploy advanced security audit policies -**Applies to** -- Windows 10 This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index 3c5c1ece1e..a01a3a3514 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Registry (Global Object Access Auditing) -**Applies to** -- Windows 10 This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer. diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index ec89d5ef53..fb1184eed7 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Security auditing -**Applies to** -- Windows 10 Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 6e90c989e0..dd8bb6516d 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Using advanced security auditing options to monitor dynamic access control objects -**Applies to** -- Windows 10 This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index 84a296e182..5b89a3802e 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # View the security event log -**Applies to** -- Windows 10 The security log records each event as defined by the audit policies you set on each object. diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 4b20841dd8..8e1db3e1b0 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Which editions of Windows support advanced audit policy configuration -**Applies to** -- Windows 10 Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista. There is no difference in security auditing support between 32-bit and 64-bit versions. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 4065b2122a..3112632b29 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy @@ -21,14 +21,14 @@ ms.technology: mde **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. @@ -42,9 +42,9 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features. | -> **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. +> **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. ## Additional qualifications for improved security @@ -76,4 +76,4 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| | Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | \ No newline at end of file +| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 83ca25908d..ccb2eb6624 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -18,34 +18,27 @@ ms.technology: mde # Microsoft Virus Initiative -The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. - -MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences. +The Microsoft Virus Initiative (MVI) helps organizations develop better-together security solutions that are performant, reliable, and aligned with Microsoft technology and strategy. ## Become a member -You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program: +You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. -1. Offer an antimalware or antivirus product that meets one of the following criteria: +To qualify for the MVI program, your organization must meet all the following requirements: - * Your organization's own creation. - * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. +1) Your security solution either replaces or compliments Microsoft Defender Antivirus. -2. Have your own malware research team unless you build a product based on an SDK. +2) Your organization is responsible for both developing and distributing app updates to end-customers that address compatibility with Windows. -3. Be active and have a positive reputation in the antimalware industry. +3) Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences or being reviewed in an industry-standard report such as AV-Comparatives, OPSWAT, or Gartner. - * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. +4) Your organization must sign a non-disclosure agreement (NDA) with Microsoft. -4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. +5) Your organization must sign a program license agreement. Maintaining this license agreement requires that you adhere to all program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. -5. Be willing to sign a program license agreement. +6) You must submit your app to Microsoft for periodic performance testing and feature review. -6. Be willing to adhere to program requirements for antimalware apps. These requirements define the behavior of antimalware apps necessary to ensure proper interaction with Windows. - -7. Submit your app to Microsoft for periodic performance testing. - -8. Certified through independent testing by at least one industry standard organization. +7) Your solution must be certified through independent testing by at least one industry-standard organization, and yearly certification must be maintained. Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- @@ -60,4 +53,4 @@ West Coast Labs | Checkmark Certified
http://www.checkmarkcertified.com/sm ## Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxusDUkejalGp0OAgRTWC7BUQVRYUEVMNlFZUjFaUDY2T1U1UDVVU1NKVi4u). diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 107430388b..5d98c29cbb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -23,21 +23,22 @@ ms.technology: mde - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). - ->[!IMPORTANT] ->Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. +> [!IMPORTANT] +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + ### COM object configurability in WDAC policy -Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. +Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. -**NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates: +> [!NOTE] +> To add this functionality to other versions of Windows 10, you can install the following or later updates. - Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371) - Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288) @@ -48,19 +49,24 @@ Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) ### Get COM object GUID Get GUID of application to allow in one of the following ways: -- Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID -- Creating audit policy (using New-CIPolicy –Audit), potentially with specific provider, and use info from block events to get GUID +- Finding a block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script), and extracting GUID +- Creating an audit policy (using New-CIPolicy –Audit), potentially with a specific provider, and use the info from the block events to get the GUID ### Author policy setting to allow or deny COM object GUID Three elements: + - Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”) -- Key: GUID for the program you with to run, in the format Key="{33333333-4444-4444-1616-161616161616}" +- Key: GUID for the program you wish to run, in the format Key="{33333333-4444-4444-1616-161616161616}" - ValueName: needs to be set to "EnterpriseDefinedClsId" One attribute: + - Value: needs to be “true” for allow and “false” for deny - - Note that deny only works in base policies, not supplemental + + > [!NOTE] + > Deny only works in base policies, not supplemental policies + - The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName) ### Examples @@ -96,19 +102,18 @@ Example 3: Allows a specific COM object to register in PowerShell ``` ### How to configure settings for the CLSIDs -Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**): +Here's an example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**): -Log Name: Microsoft-Windows-AppLocker/MSI and Script -Source: Microsoft-Windows-AppLocker -Date: 11/11/2020 1:18:11 PM -Event ID: 8036 -Task Category: None -Level: Error -Keywords: -User: S-1-5-21-3340858017-3068726007-3466559902-3647 -Computer: contoso.com -Description: -{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy. +Log Name: Microsoft-Windows-AppLocker/MSI and Script
+Source: Microsoft-Windows-AppLocker
+Date: 11/11/2020 1:18:11 PM
+Event ID: 8036
+Task Category: None
+Level: Error
+Keywords:
+User: S-1-5-21-3340858017-3068726007-3466559902-3647
+Computer: contoso.com
+Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Event XML: @@ -122,7 +127,7 @@ Event XML: 0 0 0x4000000000000000 - + 819347 @@ -137,22 +142,23 @@ Event XML: ``` -To add this CLSID to the existing policy, use the following steps: +To add this CLSID to the existing policy, follow these steps: 1. Open PowerShell ISE with Administrative privileges. + 2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`. -```PowerShell -PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean -``` - -Once the command has been run, you will find that the following section is added to the policy XML. - -```XML - - - - true - - -``` \ No newline at end of file + ```PowerShell + PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean + ``` + + Once the command has been run, you will find that the following section is added to the policy XML. + + ```XML + + + + true + + + ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 0365837d1b..d9e8974465 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -151,7 +151,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -181,7 +181,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 05df6a67cc..452b942ae5 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound Port Rule (Windows 10) +title: Create an Inbound Port Rule (Windows) description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index bd01350eee..c3db4fccfa 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound Program or Service Rule (Windows 10) +title: Create an Inbound Program or Service Rule (Windows) description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules. ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index a463162a4d..ebce547b94 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Outbound Port Rule (Windows 10) +title: Create an Outbound Port Rule (Windows) description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index fe0b68eb1d..d3c40f879a 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Outbound Program or Service Rule (Windows 10) +title: Create an Outbound Program or Service Rule (Windows) description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 59cb4d71cb..07e8a14728 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -1,5 +1,5 @@ --- -title: Create Inbound Rules to Support RPC (Windows 10) +title: Create Inbound Rules to Support RPC (Windows) description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 479b2e67af..587339f4f2 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -1,5 +1,5 @@ --- -title: Create Windows Firewall rules in Intune (Windows 10) +title: Create Windows Firewall rules in Intune (Windows) description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune. ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: @@ -21,12 +21,14 @@ ms.technology: mde **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!IMPORTANT] >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. To get started, open Device Configuration in Intune, then create a new profile. -Choose Windows 10 as the platform, and Endpoint Protection as the profile type. +Choose Windows 10 or Windows 11 as the platform, and Endpoint Protection as the profile type. Select Windows Defender Firewall. ![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png) @@ -35,7 +37,7 @@ Select Windows Defender Firewall. ## Firewall rule components -The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp). +The firewall rule configurations in Intune use the Windows CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp). ## Application Control connections for an app or program. diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 78d50e3732..725f75af51 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -1,5 +1,5 @@ --- -title: Create WMI Filters for the GPO (Windows 10) +title: Create WMI Filters for the GPO (Windows) description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/16/2021 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. @@ -58,13 +59,13 @@ First, create the WMI filter and configure it to look for a specified version (o select * from Win32_OperatingSystem where Version like "6.%" ``` - This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: + This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 11, Windows 10, and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: ``` syntax ... where Version like "6.1%" or Version like "6.2%" ``` - To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. + To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 and Windows 11 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. The following clause returns **true** for all devices that are not domain controllers: @@ -72,7 +73,7 @@ First, create the WMI filter and configure it to look for a specified version (o ... where ProductType="1" or ProductType="3" ``` - The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system. + The following complete query returns **true** for all devices running Windows 10 and Windows 11, and returns **false** for any server operating system or any other client operating system. ``` syntax select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1" diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 68a9281a43..52f4ad1566 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,5 +1,5 @@ --- -title: Designing a Windows Defender Firewall Strategy (Windows 10) +title: Designing a Windows Defender Firewall Strategy (Windows) description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index 89fca32581..fe567b13bf 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -1,5 +1,5 @@ --- -title: Determining the Trusted State of Your Devices (Windows 10) +title: Determining the Trusted State of Your Devices (Windows) description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index e8f37ee452..990d2c4fec 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -1,5 +1,5 @@ --- -title: Documenting the Zones (Windows 10) +title: Documenting the Zones (Windows) description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 8f27c49ab5..dffc684c37 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Domain Isolation Policy Design Example (Windows 10) +title: Domain Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 659827d1c6..6d6e93c035 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Domain Isolation Policy Design (Windows 10) +title: Domain Isolation Policy Design (Windows) description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 0a1b0212b6..e8cd903c18 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -1,5 +1,5 @@ --- -title: Enable Predefined Inbound Rules (Windows 10) +title: Enable Predefined Inbound Rules (Windows) description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 28e4f8649e..8a3aa2796f 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -1,5 +1,5 @@ --- -title: Enable Predefined Outbound Rules (Windows 10) +title: Enable Predefined Outbound Rules (Windows) description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index 9dc32a7f67..c57c92edcd 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -1,5 +1,5 @@ --- -title: Encryption Zone GPOs (Windows 10) +title: Encryption Zone GPOs (Windows) description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 3fba99acba..31176e0204 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,5 +1,5 @@ --- -title: Encryption Zone (Windows 10) +title: Encryption Zone (Windows) description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted. ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 2f7a20377f..4aea9e2010 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -1,5 +1,5 @@ --- -title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10) +title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) description: Evaluating Windows Defender Firewall with Advanced Security Design Examples ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index 38c6fd67c7..2dfe9fd103 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -1,5 +1,5 @@ --- -title: Exempt ICMP from Authentication (Windows 10) +title: Exempt ICMP from Authentication (Windows) description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index b923df309c..e4569e0cf8 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,5 +1,5 @@ --- -title: Exemption List (Windows 10) +title: Exemption List (Windows) description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index faa8a0d788..8482ee05ce 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,5 +1,5 @@ --- -title: Firewall GPOs (Windows 10) +title: Firewall GPOs (Windows) description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain. ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 5a6acfea96..85ce84a2a9 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Basic Firewall Policy Design Example (Windows 10) +title: Basic Firewall Policy Design Example (Windows) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In this example, the fictitious company Woodgrove Bank is a financial services institution. @@ -67,7 +68,7 @@ Other traffic notes: Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices: -- Client devices that run Windows 10, Windows 8, or Windows 7 +- Client devices that run Windows 11, Windows 10, Windows 8, or Windows 7 - WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index 35ed36b193..07fea715ef 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -1,5 +1,5 @@ --- -title: Gathering Information about Your Active Directory Deployment (Windows 10) +title: Gathering Information about Your Active Directory Deployment (Windows) description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 97aed509bc..08f2987678 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,5 +1,5 @@ --- -title: Gathering Info about Your Network Infrastructure (Windows 10) +title: Gathering Info about Your Network Infrastructure (Windows) description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 1e9b7fee54..c5f34e8ce7 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -1,5 +1,5 @@ --- -title: Gathering Information about Your Devices (Windows 10) +title: Gathering Information about Your Devices (Windows) description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index e75e426e2c..a34c386f5c 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -1,5 +1,5 @@ --- -title: Gathering Other Relevant Information (Windows 10) +title: Gathering Other Relevant Information (Windows) description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index fbdf23f73f..aad5e33e18 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -1,5 +1,5 @@ --- -title: Gathering the Information You Need (Windows 10) +title: Gathering the Information You Need (Windows) description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index 4ea713f793..3eb3e0fb2b 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Boundary (Windows 10) +title: GPO\_DOMISO\_Boundary (Windows) description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index 7c81975bea..bf33747880 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10) +title: GPO\_DOMISO\_Encryption\_WS2008 (Windows) description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446 ms.reviewer: @@ -14,7 +14,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 7799c8484f..f625255685 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Firewall (Windows 10) +title: GPO\_DOMISO\_Firewall (Windows) description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index c5c16902b2..ce42bb0dd3 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) +title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index a7e5651251..ca3da60412 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) +title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 738e348ccd..a3648e301a 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,5 +1,5 @@ --- -title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10) +title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows) description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.reviewer: @@ -14,14 +14,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- # Identifying Windows Defender Firewall with Advanced Security implementation goals **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios. diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 265019f489..adb0db7bd9 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,5 +1,5 @@ --- -title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10) +title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows) description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following are important factors in the implementation of your Windows Defender Firewall design plan: diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index 878839f37f..72632250e3 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -1,5 +1,5 @@ --- -title: Isolated Domain GPOs (Windows 10) +title: Isolated Domain GPOs (Windows) description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index b9656fd06d..037bf1f77b 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -1,5 +1,5 @@ --- -title: Isolated Domain (Windows 10) +title: Isolated Domain (Windows) description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e ms.reviewer: @@ -14,16 +14,16 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- # Isolated Domain **Applies to:** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index bfd7f19f0a..6e2fcee3e3 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -1,5 +1,5 @@ --- -title: Isolating Microsoft Store Apps on Your Network (Windows 10) +title: Isolating Microsoft Store Apps on Your Network (Windows) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/13/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. @@ -65,7 +66,7 @@ To isolate Microsoft Store apps on your network, you need to use Group Policy to - The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules. - >**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). + >**Note:**  You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).   ## Step 1: Define your network diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 7759669531..c50865a29b 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -1,5 +1,5 @@ --- -title: Link the GPO to the Domain (Windows 10) +title: Link the GPO to the Domain (Windows) description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index ee043c54a0..048875eafd 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,5 +1,5 @@ --- -title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10) +title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows) description: Mapping your implementation goals to a Windows Firewall with Advanced Security design ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. > [!IMPORTANT] diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 2f2ec6ad54..037b3a66d6 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,5 +1,5 @@ --- -title: Modify GPO Filters (Windows 10) +title: Modify GPO Filters (Windows) description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 7046b6230b..43485b62d6 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -1,5 +1,5 @@ --- -title: Open the Group Policy Management Console to IP Security Policies (Windows 10) +title: Open the Group Policy Management Console to IP Security Policies (Windows) description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 5c3d340ea4..1239f18bf3 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Group Policy Management of Windows Firewall with Advanced Security (Windows 10) +title: Group Policy Management of Windows Firewall with Advanced Security (Windows) description: Group Policy Management of Windows Firewall with Advanced Security ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 2c7d2f500b..a4cba8e7c3 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,5 +1,5 @@ --- -title: Group Policy Management of Windows Defender Firewall (Windows 10) +title: Group Policy Management of Windows Defender Firewall (Windows) description: Group Policy Management of Windows Defender Firewall with Advanced Security ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To open a GPO to Windows Defender Firewall: diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 1b99cfae07..8dda8bcf96 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Open Windows Defender Firewall with Advanced Security (Windows 10) +title: Open Windows Defender Firewall with Advanced Security (Windows) description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to open the Windows Defender Firewall with Advanced Security console. diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index 0f8b7c455f..2291806174 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -1,5 +1,5 @@ --- -title: Planning Certificate-based Authentication (Windows 10) +title: Planning Certificate-based Authentication (Windows) description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index af5214261c..0a5d687d62 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Domain Isolation Zones (Windows 10) +title: Planning Domain Isolation Zones (Windows) description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 0f0993409e..fd986acbbd 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning GPO Deployment (Windows 10) +title: Planning GPO Deployment (Windows) description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can control which GPOs are applied to devices in Active Directory in a combination of three ways: diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 7899c1c091..47d3282978 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10) +title: Planning Group Policy Deployment for Your Isolation Zones (Windows) description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index c4fff5ce81..6ac5c58afd 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Isolation Groups for the Zones (Windows 10) +title: Planning Isolation Groups for the Zones (Windows) description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 57d452edac..d767a7db71 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,5 +1,5 @@ --- -title: Planning Network Access Groups (Windows 10) +title: Planning Network Access Groups (Windows) description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index a89145ab4a..2a5a06d873 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Server Isolation Zones (Windows 10) +title: Planning Server Isolation Zones (Windows) description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index ce989c23c6..e843a202ac 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,5 +1,5 @@ --- -title: Planning Settings for a Basic Firewall Policy (Windows 10) +title: Planning Settings for a Basic Firewall Policy (Windows) description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 8bb1208626..67f3121c36 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,5 +1,5 @@ --- -title: Planning the GPOs (Windows 10) +title: Planning the GPOs (Windows) description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. @@ -42,7 +43,7 @@ A few things to consider as you plan the GPOs: - Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. -*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10. +*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10 and Windows 11. > [!NOTE] > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index 7dabf87126..8d60afedaf 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10) +title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows) description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization. diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 437bb3fbeb..8459640ec7 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,5 +1,5 @@ --- -title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10) +title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows) description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index e301390ef9..305d69aef6 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -1,5 +1,5 @@ --- -title: Procedures Used in This Guide (Windows 10) +title: Procedures Used in This Guide (Windows) description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index 233776996f..f0fc035973 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,5 +1,5 @@ --- -title: Protect devices from unwanted network traffic (Windows 10) +title: Protect devices from unwanted network traffic (Windows) description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index bd087a2124..17ab51f503 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -14,7 +14,7 @@ ms.localizationpriority: normal audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/17/2020 +ms.date: 09/08/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 8fbeb35412..a3963db1f2 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,5 +1,5 @@ --- -title: Require Encryption When Accessing Sensitive Network Resources (Windows 10) +title: Require Encryption When Accessing Sensitive Network Resources (Windows) description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 1a7c288575..e546bbf39d 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,5 +1,5 @@ --- -title: Restrict Access to Only Specified Users or Devices (Windows 10) +title: Restrict Access to Only Specified Users or Devices (Windows) description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 5285e56ad9..d3d0f94001 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,5 +1,5 @@ --- -title: Restrict access to only trusted devices (Windows 10) +title: Restrict access to only trusted devices (Windows) description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index a9a24aa516..c0d7282746 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,5 +1,5 @@ --- -title: Restrict Server Access to Members of a Group Only (Windows 10) +title: Restrict Server Access to Members of a Group Only (Windows) description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 8cb2a35d50..aa6d7c5117 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -1,5 +1,5 @@ --- -title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) +title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows) description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above IKEv2 offers the following: diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index bb23429112..74da744d30 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,5 +1,5 @@ --- -title: Server Isolation GPOs (Windows 10) +title: Server Isolation GPOs (Windows) description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index a0070cf114..fd8fad7308 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Server Isolation Policy Design Example (Windows 10) +title: Server Isolation Policy Design Example (Windows) description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 7d44e7c17c..3d5d5e9694 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Server Isolation Policy Design (Windows 10) +title: Server Isolation Policy Design (Windows) description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index b6a468447e..8f2dd62bfc 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,5 +1,5 @@ --- -title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10) +title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows) description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 6a77eda3f7..6f83b6d42d 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -1,5 +1,5 @@ --- -title: Understand WFAS Deployment (Windows 10) +title: Understand WFAS Deployment (Windows) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 113c3c0cc2..633bcb4aed 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,5 +1,5 @@ --- -title: Verify That Network Traffic Is Authenticated (Windows 10) +title: Verify That Network Traffic Is Authenticated (Windows) description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index bf70a3a3b7..c4e919e41a 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10) +title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows) description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index 9a3954cc03..8e4af001ae 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10) +title: Windows Defender Firewall with Advanced Security deployment overview (Windows) description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index e1a438412f..702acc0dcf 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security design guide (Windows 10) +title: Windows Defender Firewall with Advanced Security design guide (Windows) description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/05/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. @@ -87,7 +88,7 @@ The following table identifies and defines terms used throughout this guide. | Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| | Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.| | Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.| -| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | +| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | | Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| | IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| | Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index e3becc881c..7a9d7305a5 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security (Windows 10) +title: Windows Defender Firewall with Advanced Security (Windows) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ms.prod: m365-security ms.mktglfcycl: deploy @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/21/2020 +ms.date: 09/08/2021 ms.reviewer: ms.custom: asr ms.technology: mde @@ -21,9 +21,9 @@ ms.technology: mde # Windows Defender Firewall with Advanced Security **Applies to** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 6410248ff6..a00511c390 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay -manager: laurawi +manager: dougeby ms.author: greglin ms.localizationpriority: high ms.topic: article @@ -247,7 +247,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables >[!IMPORTANT] >This is a private preview feature and therefore not meant or recommended for production purposes. -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows (for example, Azure AD temporary access pass). Going forward, web sign-in will be restricted to only support Azure AD temporary access pass. +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass. **To try out web sign-in:** 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index b301ed3de2..da063c4529 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -50,7 +50,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. - Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use feature update deployments to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. +- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. ## Cloud-based management