diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 9016bca75e..2889bb4f2a 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -67,6 +67,8 @@ Added in Windows 10, version 1703. This policy allows an administrator to set de If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. + + To create create the SyncML, follow these steps:
  1. Install a few apps and change your defaults.
    2. @@ -119,7 +121,7 @@ Here is the SyncMl example: ``` - +
    diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index a28201a263..1ca01c5a3f 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -148,14 +148,17 @@ The following list shows the supported values: Specifies whether automatic update of apps from Microsoft Store are allowed. + +Most restricted value is 0. + + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -Most restricted value is 0. - - +
    @@ -525,14 +528,17 @@ The following list shows the supported values: Allows disabling of the retail catalog and only enables the Private store. + +Most restricted value is 1. + + + The following list shows the supported values: - 0 (default) – Allow both public and Private store. - 1 – Only Private store is enabled. -Most restricted value is 1. - - +
    diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 07b993c521..51ca199a31 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -237,13 +237,6 @@ Specifies whether autofill on websites is allowed. Most restricted value is 0. -To verify AllowAutofill is set to 0 (not allowed): - -1. Open Microsoft Edge. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Save form entries** is greyed out. - The following list shows the supported values: @@ -252,6 +245,15 @@ The following list shows the supported values: - 1 (default) – Allowed. + +To verify AllowAutofill is set to 0 (not allowed): + +1. Open Microsoft Edge. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Save form entries** is greyed out. + +
    @@ -354,13 +356,18 @@ The following list shows the supported values: Specifies whether cookies are allowed. + +Most restricted value is 0. + + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -Most restricted value is 0. - + + To verify AllowCookies is set to 0 (not allowed): 1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. @@ -368,7 +375,7 @@ To verify AllowCookies is set to 0 (not allowed): 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Cookies** is greyed out. - +
    @@ -471,13 +478,6 @@ Specifies whether Do Not Track headers are allowed. Most restricted value is 1. -To verify AllowDoNotTrack is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Send Do Not Track requests** is greyed out. - The following list shows the supported values: @@ -486,6 +486,15 @@ The following list shows the supported values: - 1 – Allowed. + +To verify AllowDoNotTrack is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Send Do Not Track requests** is greyed out. + +
    @@ -793,13 +802,6 @@ Specifies whether saving and managing passwords locally on the device is allowed Most restricted value is 0. -To verify AllowPasswordManager is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. - The following list shows the supported values: @@ -808,6 +810,15 @@ The following list shows the supported values: - 1 (default) – Allowed. + +To verify AllowPasswordManager is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. + +
    @@ -853,13 +864,6 @@ Specifies whether pop-up blocker is allowed or enabled. Most restricted value is 1. -To verify AllowPopups is set to 0 (not allowed): - -1. Open Microsoft Edge. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Block pop-ups** is greyed out. - The following list shows the supported values: @@ -868,6 +872,15 @@ The following list shows the supported values: - 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked. + +To verify AllowPopups is set to 0 (not allowed): + +1. Open Microsoft Edge. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Block pop-ups** is greyed out. + +
    @@ -1021,13 +1034,6 @@ Specifies whether Windows Defender SmartScreen is allowed. Most restricted value is 1. -To verify AllowSmartScreen is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. - The following list shows the supported values: @@ -1036,6 +1042,15 @@ The following list shows the supported values: - 1 (default) – Allowed. + +To verify AllowSmartScreen is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. + +
    @@ -1132,12 +1147,6 @@ Added in Windows 10, version 1703. Specifies whether to clear browsing data on e Most restricted value is 1. -To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): - -1. Open Microsoft Edge and browse to websites. -2. Close the Microsoft Edge window. -3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. - The following list shows the supported values: @@ -1146,6 +1155,14 @@ The following list shows the supported values: - 1 – Browsing data is cleared on exit. + +To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): + +1. Open Microsoft Edge and browse to websites. +2. Close the Microsoft Edge window. +3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. + +
    @@ -1197,14 +1214,17 @@ If this setting is not configured, the search engines used are the ones that are > [!IMPORTANT] > Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.  + +Most restricted value is 0. + + + The following list shows the supported values: - 0 (default) – Additional search engines are not allowed. - 1 – Additional search engines are allowed. -Most restricted value is 0. - - +
    @@ -1364,12 +1384,14 @@ The following list shows the supported values:   Allows the user to specify an URL of an enterprise site list. + + The following list shows the supported values: - Not configured. The device checks for updates from Microsoft Update. - Set to a URL location of the enterprise site list. - +
    @@ -2061,14 +2083,17 @@ If this setting is not configured, the default search engine is set to the one s > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). + +Most restricted value is 0. + + + The following list shows the supported values: - 0 (default) - The default search engine is set to the one specified in App settings. - 1 - Allows you to configure the default search engine for your employees. -Most restricted value is 0. - - +
    @@ -2174,14 +2199,6 @@ Added in Windows 10, version 1703. Specifies whether favorites are kept in sync > > Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. -To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge: - -
      -
    1. Open Internet Explorer and add some favorites. -
    2. Open Microsoft Edge, then select Hub > Favorites. -
    3. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. -
    - The following list shows the supported values: @@ -2190,6 +2207,16 @@ The following list shows the supported values: - 1 – Synchronization is on. + +To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge: + +
      +
    1. Open Internet Explorer and add some favorites. +
    2. Open Microsoft Edge, then select Hub > Favorites. +
    3. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. +
    + +
    diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index e35c21d6ee..2957dd9d77 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -68,12 +68,14 @@ ms.date: 01/29/2018 Allows or disallows the Federal Information Processing Standard (FIPS) policy. + + The following list shows the supported values: - 0 (default) – Not allowed. - 1– Allowed. - +
    diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 1324fc9bf1..bcd17f7911 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -171,12 +171,14 @@ ms.date: 01/29/2018 Allows or disallows scanning of archives. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -223,12 +225,14 @@ The following list shows the supported values:   Allows or disallows Windows Defender Behavior Monitoring functionality. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -275,12 +279,14 @@ The following list shows the supported values: To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -327,12 +333,14 @@ The following list shows the supported values: Allows or disallows scanning of email. + + The following list shows the supported values: - 0 (default) – Not allowed. - 1 – Allowed. - +
    @@ -379,12 +387,14 @@ The following list shows the supported values: Allows or disallows a full scan of mapped network drives. + + The following list shows the supported values: - 0 (default) – Not allowed. - 1 – Allowed. - +
    @@ -431,12 +441,14 @@ The following list shows the supported values: Allows or disallows a full scan of removable drives. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -483,12 +495,14 @@ The following list shows the supported values:   Allows or disallows Windows Defender IOAVP Protection functionality. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -535,12 +549,14 @@ The following list shows the supported values: Allows or disallows Windows Defender Intrusion Prevention functionality. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -587,12 +603,14 @@ The following list shows the supported values: Allows or disallows Windows Defender On Access Protection functionality. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -639,12 +657,14 @@ The following list shows the supported values: Allows or disallows Windows Defender Realtime Monitoring functionality. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -691,12 +711,14 @@ The following list shows the supported values:   Allows or disallows a scanning of network files. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -743,12 +765,14 @@ The following list shows the supported values: Allows or disallows Windows Defender Script Scanning functionality. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -795,12 +819,14 @@ The following list shows the supported values: Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -947,11 +973,14 @@ Value type is string.   Represents the average CPU load factor for the Windows Defender scan (in percent). -Valid values: 0–100 The default value is 50. + +Valid values: 0–100 + +
    @@ -1206,11 +1235,14 @@ Added in Windows 10, version 1709. This policy settings allows adding user-speci   Time period (in days) that quarantine items will be stored on the system. -Valid values: 0–90 The default value is 0, which keeps items in quarantine, and does not automatically remove them. + +Valid values: 0–90 + +
    @@ -1518,13 +1550,15 @@ Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\E Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. + + The following list shows the supported values: - 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications. - 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. - 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - +
    @@ -1574,14 +1608,15 @@ Controls which sets of files should be monitored. > [!NOTE] > If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files. - + + The following list shows the supported values: - 0 (default) – Monitor all files (bi-directional). - 1 – Monitor incoming files. - 2 – Monitor outgoing files. - +
    @@ -1628,12 +1663,14 @@ The following list shows the supported values: Selects whether to perform a quick scan or full scan. + + The following list shows the supported values: - 1 (default) – Quick scan - 2 – Full scan - +
    @@ -1684,13 +1721,16 @@ Selects the time of day that the Windows Defender quick scan should run. > The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.   -Valid values: 0–1380 For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. The default value is 120 + +Valid values: 0–1380 + +
    @@ -1740,7 +1780,8 @@ Selects the day that the Windows Defender scan should run. > [!NOTE] > The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - + + The following list shows the supported values: - 0 (default) – Every day @@ -1753,7 +1794,7 @@ The following list shows the supported values: - 7 – Sunday - 8 – No scheduled scan - +
    @@ -1804,13 +1845,16 @@ Selects the time of day that the Windows Defender scan should run. > The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. -Valid values: 0–1380. For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. The default value is 120. + +Valid values: 0–1380. + +
    @@ -1857,13 +1901,16 @@ The default value is 120.   Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. -Valid values: 0–24. A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day. The default value is 8. + +Valid values: 0–24. + +
    @@ -1910,6 +1957,8 @@ The default value is 8.   Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. + + The following list shows the supported values: - 0 – Always prompt. @@ -1917,7 +1966,7 @@ The following list shows the supported values: - 2 – Never send. - 3 – Send all samples automatically. - +
    diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 97297f2da1..3b169444ca 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -180,15 +180,18 @@ Specifies whether to show a user-configurable setting to control the screen time > This policy must be wrapped in an Atomic command. -The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. > [!IMPORTANT] > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. + +The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +
    @@ -235,14 +238,17 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th > This policy must be wrapped in an Atomic command. + +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - +
    @@ -291,11 +297,6 @@ Determines the type of PIN or password required. This policy only applies if the > Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). -The following list shows the supported values: - -- 0 – Alphanumeric PIN or password required. -- 1 – Numeric PIN or password required. -- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password. > [!NOTE] > If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. @@ -303,6 +304,14 @@ The following list shows the supported values: > If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. + +The following list shows the supported values: + +- 0 – Alphanumeric PIN or password required. +- 1 – Numeric PIN or password required. +- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password. + +
    @@ -351,10 +360,6 @@ Specifies whether device lock is enabled. > Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.   -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled > [!IMPORTANT] > The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: @@ -391,6 +396,13 @@ The following list shows the supported values: > - MaxInactivityTimeDeviceLock + +The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + +
    @@ -437,16 +449,19 @@ Specifies when the password expires (in days). > This policy must be wrapped in an Atomic command. -The following list shows the supported values: - -- An integer X where 0 <= X <= 730. -- 0 (default) - Passwords do not expire. If all policy values = 0 then 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + +The following list shows the supported values: + +- An integer X where 0 <= X <= 730. +- 0 (default) - Passwords do not expire. + +
    @@ -493,10 +508,6 @@ Specifies how many passwords can be stored in the history that can’t be used. > This policy must be wrapped in an Atomic command. -The following list shows the supported values: - -- An integer X where 0 <= X <= 50. -- 0 (default) The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. @@ -505,6 +516,13 @@ Max policy value is the most restricted. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + +The following list shows the supported values: + +- An integer X where 0 <= X <= 50. +- 0 (default) + +
    @@ -656,16 +674,19 @@ This policy has different behaviors on the mobile device and desktop. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. -The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices. -- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + +The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices. +- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. + +
    @@ -712,14 +733,17 @@ Specifies the maximum amount of time (in minutes) allowed after the device is id > This policy must be wrapped in an Atomic command. + +For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + The following list shows the supported values: - An integer X where 0 <= X <= 999. - 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." -For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - +
    @@ -765,13 +789,14 @@ Specifies the maximum amount of time (in minutes) allowed after the device is id > [!NOTE] > This policy must be wrapped in an Atomic command. - + + The following list shows the supported values: - An integer X where 0 <= X <= 999. - 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - +
    @@ -934,17 +959,20 @@ Specifies the minimum number or characters required in the PIN or password. > Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. -The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6. -- Not enforced. -- The default value is 4 for mobile devices and desktop devices. Max policy value is the most restricted. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + +The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6. +- Not enforced. +- The default value is 4 for mobile devices and desktop devices. + +
    diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 395598e623..e2302d2679 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -76,12 +76,14 @@ If you disable or do not configure this policy setting, GDI DPI Scaling might st If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. + + To validate on Desktop, do the following: 1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. - +
    @@ -132,12 +134,14 @@ If you disable or do not configure this policy setting, GDI DPI Scaling will not If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. + + To validate on Desktop, do the following: 1. Configure the setting for an app which uses GDI. 2. Run the app and observe crisp text. - +
    diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 08a7c01d46..9c346946d7 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1080,13 +1080,15 @@ The following list shows the supported values: Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. + + The following list shows the supported values: - 0 – None. - 1 (default) – Windows spotlight enabled. - 2 – placeholder only for future extension. Using this value has no effect. - +
    @@ -1133,12 +1135,14 @@ If you enable this policy setting, users will no longer see feedback notificatio If you disable or do not configure this policy setting, users can control how often they receive feedback questions. + + The following list shows the supported values: - 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. - 1 – Feedback notifications are disabled. - +
    diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 421c1c41e8..9f742bb32f 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -67,6 +67,8 @@ Enables the IT admin to push out a configuration representing the desired system The system settings require a reboot; the application settings do not require a reboot. + + Here is an example: ``` syntax @@ -92,7 +94,7 @@ Here is an example: ``` - +
    diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index d142ceb56a..1207e03022 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -293,13 +293,16 @@ Disabling the Administrator account can become a maintenance issue under certain Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled. -Valid values: -- 0 - local Administrator account is disabled -- 1 - local Administrator account is enabled Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - local Administrator account is disabled +- 1 - local Administrator account is enabled + +
    @@ -343,15 +346,18 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. This security setting determines if the Guest account is enabled or disabled. Default: Disabled. -Valid values: -- 0 - local Guest account is disabled -- 1 - local Guest account is enabled Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - local Guest account is disabled +- 1 - local Guest account is enabled + +
    @@ -397,9 +403,6 @@ Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. -Valid values: -- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console -- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard Warning: @@ -412,6 +415,12 @@ It is possible for applications that use remote interactive logons to bypass thi Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console +- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard + +
    @@ -1086,14 +1095,17 @@ In order to take advantage of this policy on domain controllers, all domain cont Interactive Logon:Display user information when the session is locked + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + Valid values: - 1 - User display name, domain and user names - 2 - User display name only - 3 - Do not display user information -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - +
    @@ -1142,13 +1154,16 @@ If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. -Valid values: -- 0 - disabled (username will be shown) -- 1 - enabled (username will not be shown) Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled (username will be shown) +- 1 - enabled (username will not be shown) + +
    @@ -1198,13 +1213,16 @@ If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. -Valid values: -- 0 - disabled (username will be shown) -- 1 - enabled (username will not be shown) Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled (username will be shown) +- 1 - enabled (username will not be shown) + +
    @@ -1255,13 +1273,16 @@ If this policy is disabled, any user is required to press CTRL+ALT+DEL before lo Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled. -Valid values: -- 0 - disabled -- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on) Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled +- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on) + +
    @@ -1307,13 +1328,16 @@ Interactive logon: Machine inactivity limit. Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. -Valid values: -- 0 - disabled -- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled +- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) + +
    @@ -2203,13 +2227,16 @@ Network security: Allow PKU2U authentication requests to this computer to use on This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. -Valid values: -- 0 - disabled -- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.) Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled +- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.) + +
    @@ -2477,13 +2504,16 @@ Recovery console: Allow automatic administrative logon This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not defined and automatic administrative logon is not allowed. -Valid values: -- 0 - disabled -- 1 - enabled (allow automatic administrative logon) Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled +- 1 - enabled (allow automatic administrative logon) + +
    @@ -2534,13 +2564,16 @@ When this policy is disabled, the option to shut down the computer does not appe Default on workstations: Enabled. Default on servers: Disabled. -Valid values: -- 0 - disabled -- 1 - enabled (allow system to be shut down without having to log on) Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled +- 1 - enabled (allow system to be shut down without having to log on) + +
    @@ -2688,15 +2721,18 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. Disabled: (Default) -Valid values: -- 0 - disabled -- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Valid values: +- 0 - disabled +- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop) + +
    diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index f5a62a9471..3d2a9f5773 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -68,17 +68,21 @@ Added in Windows 10, version 1703. Optional policy that allows for IT admin to > [!IMPORTANT] > This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy. + + The following list shows the supported values: - 0 (default) – Disabled. - 1 – Enabled. + + To validate on Desktop, do the following: 1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. 2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - +
    diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index a10d85a033..743c206a04 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -74,12 +74,14 @@ ms.date: 01/29/2018 Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement. + + The following list shows the supported values: - 0 - Disabled. - 1 (default) - Enabled. - +
    @@ -122,12 +124,14 @@ The following list shows the supported values: Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. + + The following list shows the supported values: - 0 - message sync is not allowed and cannot be changed by the user. - 1 - message sync is allowed. The user can change this setting. - +
    @@ -173,12 +177,14 @@ The following list shows the supported values: Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement. + + The following list shows the supported values: - 0 - Disabled. - 1 (default) - Enabled. - +
    diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 8ab600b9d8..5422f5440f 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -504,15 +504,18 @@ The following list shows the supported values: Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -684,15 +687,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -864,15 +870,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -1044,15 +1053,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -1224,15 +1236,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -1404,15 +1419,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access email. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -1584,15 +1602,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access location. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -1764,15 +1785,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -1944,15 +1968,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -2124,15 +2151,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -2304,15 +2334,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -2484,15 +2517,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -2664,15 +2700,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -3016,15 +3055,18 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family N Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -3196,15 +3238,18 @@ Added in Windows 10, version 1607. List of semi-colon delimited Package Family Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    @@ -3376,17 +3421,20 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. -The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. Most restricted value is 2. > [!WARNING] > Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. + +The following list shows the supported values: + +- 0 – User in control (default). +- 1 – Force allow. +- 2 - Force deny. + +
    @@ -3558,15 +3606,18 @@ Added in Windows 10, version 1703. List of semi-colon delimited Package Family Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. + +Most restricted value is 2. + + + The following list shows the supported values: - 0 – User in control. - 1 – Force allow. - 2 - Force deny. -Most restricted value is 2. - - +
    diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 6aac1d55e9..743ea8568e 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -106,12 +106,14 @@ ms.date: 01/29/2018 Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -332,14 +334,17 @@ This policy has been deprecated. Allows the use of diacritics. + +Most restricted value is 0. + + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -Most restricted value is 0. - - +
    @@ -425,14 +430,17 @@ Allow Windows indexer. Value type is integer. Specifies whether to always use automatic language detection when indexing content and properties. + +Most restricted value is 0. + + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -Most restricted value is 0. - - +
    @@ -475,12 +483,14 @@ Most restricted value is 0. If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. + + The following list shows the supported values: - 0 (default) – Disable. - 1 – Enable. - +
    @@ -527,12 +537,14 @@ If you enable this policy setting, locations on removable drives cannot be added If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. + + The following list shows the supported values: - 0 (default) – Disable. - 1 – Enable. - +
    @@ -634,12 +646,14 @@ Enable this policy if computers in your environment have extremely limited hard When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. + + The following list shows the supported values: - 0 – Disable. - 1 (default) – Enable. - +
    @@ -682,12 +696,14 @@ The following list shows the supported values: If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. + + The following list shows the supported values: - 0 – Disable. - 1 (default) – Enable. - +
    @@ -734,14 +750,17 @@ The following list shows the supported values: Specifies what level of safe search (filtering adult content) is required. + +Most restricted value is 0. + + + The following list shows the supported values: - 0 – Strict, highest filtering against adult content. - 1 (default) – Moderate filtering against adult content (valid search results will not be filtered). -Most restricted value is 0. - - +
    diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 7ee5db3300..8d7edec458 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -147,12 +147,14 @@ The following list shows the supported values: Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. - +
    @@ -468,12 +470,14 @@ Added in Windows 10, version 1607 to replace the deprecated policy **Security/A Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + + The following list shows the supported values: - 0 (default) – Encryption enabled. - 1 – Encryption disabled. - +
    @@ -516,10 +520,6 @@ The following list shows the supported values: Allows enterprise to turn on internal storage encryption. -The following list shows the supported values: - -- 0 (default) – Encryption is not required. -- 1 – Encryption is required. Most restricted value is 1. @@ -527,6 +527,13 @@ Most restricted value is 1. > If encryption has been enabled, it cannot be turned off by using this policy. + +The following list shows the supported values: + +- 0 (default) – Encryption is not required. +- 1 – Encryption is required. + +
    @@ -569,12 +576,14 @@ Most restricted value is 1. Specifies whether provisioning packages must have a certificate signed by a device trusted authority. + + The following list shows the supported values: - 0 (default) – Not required. - 1 – Required. - +
    @@ -617,10 +626,6 @@ The following list shows the supported values: Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. -The following list shows the supported values: - -- 0 (default) – Not required. -- 1 – Required. Setting this policy to 1 (Required): @@ -634,6 +639,13 @@ Setting this policy to 1 (Required): Most restricted value is 1. + +The following list shows the supported values: + +- 0 (default) – Not required. +- 1 – Required. + +
    diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index f5a811c564..1ba96f10d0 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -728,6 +728,8 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. + + The following list shows the supported values: - 0 (default) – User will be allowed to configure the setting. @@ -735,7 +737,7 @@ The following list shows the supported values: - 2 - Simplified Chinese (Lunar). - 3 - Traditional Chinese (Lunar). - +
    @@ -802,13 +804,15 @@ Example 2, specifies that the wifi page should not be shown: hide:wifi + + To validate on Desktop, do the following: 1. Open System Settings and verfiy that the About page is visible and accessible. 2. Configure the policy with the following string: "hide:about". 3. Open System Settings again and verify that the About page is no longer accessible. - +
    diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index fa95c2c0a3..eabc6aabe7 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -663,15 +663,18 @@ The following list shows the supported values: Forces the start screen size. + +If there is policy configuration conflict, the latest configuration request is applied to the device. + + + The following list shows the supported values: - 0 (default) – Do not force size of Start. - 1 – Force non-fullscreen size of Start. - 2 - Force a fullscreen size of Start. -If there is policy configuration conflict, the latest configuration request is applied to the device. - - +
    @@ -720,12 +723,6 @@ Allows IT Admins to configure Start by collapsing or removing the all apps list. > [!Note] > There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. -The following list shows the supported values: - -- 0 (default) – None. -- 1 – Hide all apps list. -- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app. -- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. To validate on Desktop, do the following: @@ -735,6 +732,15 @@ To validate on Desktop, do the following: - 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. + +The following list shows the supported values: + +- 0 (default) – None. +- 1 – Hide all apps list. +- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app. +- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. + +
    @@ -777,11 +783,6 @@ To validate on Desktop, do the following: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Change account settings" is not available. - The following list shows the supported values: @@ -790,6 +791,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify that "Change account settings" is not available. + +
    @@ -835,6 +843,15 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps. + + +The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + + + To validate on Desktop, do the following: 1. Enable "Show most used apps" in the Settings app. @@ -844,14 +861,7 @@ To validate on Desktop, do the following: 5. Check that "Show most used apps" Settings toggle is grayed out. 6. Check that most used apps do not appear in Start. - - -The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - - +
    @@ -894,10 +904,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. -To validate on Laptop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Hibernate" is not available. > [!NOTE] > This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. @@ -910,6 +916,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Laptop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Hibernate" is not available. + +
    @@ -952,11 +965,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify "Lock" is not available. - The following list shows the supported values: @@ -965,6 +973,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify "Lock" is not available. + +
    @@ -1055,11 +1070,6 @@ Value type is integer. Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, and verify the power button is not available. - The following list shows the supported values: @@ -1068,6 +1078,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, and verify the power button is not available. + +
    @@ -1113,6 +1130,15 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing. + + +The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + + + To validate on Desktop, do the following: 1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings. @@ -1125,14 +1151,7 @@ To validate on Desktop, do the following: 8. Repeat Step 2. 9. Right Click pinned photos app and verify that there is no jumplist of recent items. - - -The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - - +
    @@ -1178,6 +1197,15 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps. + + +The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + + + To validate on Desktop, do the following: 1. Enable "Show recently added apps" in the Settings app. @@ -1187,14 +1215,7 @@ To validate on Desktop, do the following: 5. Check that "Show recently added apps" Settings toggle is grayed out. 6. Check that recently added apps do not appear in Start. - - -The following list shows the supported values: - -- 0 (default) – False (do not hide). -- 1 - True (hide). - - +
    @@ -1237,11 +1258,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. - The following list shows the supported values: @@ -1250,6 +1266,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. + +
    @@ -1292,11 +1315,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. - The following list shows the supported values: @@ -1305,6 +1323,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. + +
    @@ -1347,11 +1372,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify "Sign out" is not available. - The following list shows the supported values: @@ -1360,6 +1380,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify "Sign out" is not available. + +
    @@ -1402,11 +1429,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the Power button, and verify that "Sleep" is not available. - The following list shows the supported values: @@ -1415,6 +1437,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify that "Sleep" is not available. + +
    @@ -1457,11 +1486,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. -To validate on Desktop, do the following: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Switch account" is not available. - The following list shows the supported values: @@ -1470,6 +1494,13 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify that "Switch account" is not available. + +
    @@ -1515,12 +1546,6 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile. -To validate on Desktop, do the following: - -1. Enable policy. -2. Log off. -3. Log in, and verify that the user tile is gone from Start. - The following list shows the supported values: @@ -1529,6 +1554,14 @@ The following list shows the supported values: - 1 - True (hide). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Log off. +3. Log in, and verify that the user tile is gone from Start. + +
    @@ -1579,6 +1612,8 @@ Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/. The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles). + + To validate on Desktop, do the following: 1. Set policy with an XML for Edge assets. @@ -1586,7 +1621,7 @@ To validate on Desktop, do the following: 3. Sign out/in. 4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. - +
    @@ -1629,14 +1664,6 @@ To validate on Desktop, do the following: Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. -To validate on Desktop, do the following: - -1. Enable policy. -2. Right click on a program pinned to taskbar. -3. Verify that "Unpin from taskbar" menu does not show. -4. Open Start and right click on one of the app list icons. -5. Verify that More->Pin to taskbar menu does not show. - The following list shows the supported values: @@ -1645,6 +1672,16 @@ The following list shows the supported values: - 1 - True (pinning disabled). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Right click on a program pinned to taskbar. +3. Verify that "Unpin from taskbar" menu does not show. +4. Open Start and right click on one of the app list icons. +5. Verify that More->Pin to taskbar menu does not show. + +
    diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 62c833ad36..b7bc8809d4 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -69,14 +69,17 @@ ms.date: 01/29/2018 Added in Windows 10, version 1709. Allows disk health model updates. + +Value type is integer. + + + The following list shows the supported values: - 0 - Do not allow - 1 (default) - Allow -Value type is integer. - - +
    diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index e8c1f500f6..f7c6e8a3f8 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -115,13 +115,15 @@ This policy setting determines whether users can access the Insider build contro If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. + + The following list shows the supported values: - 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. - 1 – Allowed. Users can make their devices available for downloading and installing preview software. - 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - +
    @@ -219,15 +221,18 @@ The following list shows the supported values: This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. + +Most restricted value is 0. + + + The following list shows the supported values: - 0 – Disabled. - 1 (default) – Permits Microsoft to configure device settings only. - 2 – Allows Microsoft to conduct full experimentations. -Most restricted value is 0. - - +
    @@ -333,11 +338,6 @@ To verify if System/AllowFontProviders is set to true: Specifies whether to allow app access to the Location service. -The following list shows the supported values: - -- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. -- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. Most restricted value is 0. @@ -348,6 +348,14 @@ When switching the policy back from 0 (Force Location Off) or 2 (Force Location For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. + +The following list shows the supported values: + +- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. +- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + +
    @@ -721,12 +729,6 @@ Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. -To validate on Desktop, do the following: - -1. Enable policy. -2. Restart machine. -3. Verify that OneDrive.exe is not running in Task Manager. - The following list shows the supported values: @@ -735,6 +737,14 @@ The following list shows the supported values: - 1 – True (sync disabled). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Restart machine. +3. Verify that OneDrive.exe is not running in Task Manager. + +
    diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 7b2956f975..e712a54e76 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -278,14 +278,17 @@ The following list shows the supported values: Allows the Japanese IME surrogate pair characters. + +Most restricted value is 0. + + + The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -Most restricted value is 0. - - +
    @@ -501,12 +504,6 @@ Added in Windows 10, version 1703. Specifies whether text prediction is enabled Most restricted value is 0. -To validate that text prediction is disabled on Windows 10 for desktop, do the following: - -1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button. -2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. -3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. - The following list shows the supported values: @@ -515,6 +512,14 @@ The following list shows the supported values: - 1 (default) – Enabled. + +To validate that text prediction is disabled on Windows 10 for desktop, do the following: + +1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button. +2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. +3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. + +
    @@ -684,12 +689,14 @@ The following list shows the supported values: Allows the users to restrict character code range of conversion by setting the character filter. + + The following list shows the supported values: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 are filtered. - +
    @@ -736,12 +743,14 @@ The following list shows the supported values: Allows the users to restrict character code range of conversion by setting the character filter. + + The following list shows the supported values: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 and EUDC are filtered. - +
    @@ -788,12 +797,14 @@ The following list shows the supported values: Allows the users to restrict character code range of conversion by setting the character filter. + + The following list shows the supported values: - 0 (default) – No characters are filtered. - 1 – All characters except ShiftJIS are filtered. - +
    diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d6e49b9bb0..3eac735f1d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -357,6 +357,15 @@ Enables the IT admin to manage automatic update behavior to scan, download, and Supported operations are Get and Replace. + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. +  + +If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. @@ -366,13 +375,7 @@ The following list shows the supported values: - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. - 5 – Turn off automatic updates. -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. -  - -If the policy is not configured, end-users get the default behavior (Auto install and restart). - - +
    @@ -469,12 +472,14 @@ The following list shows the supported values: Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + + The following list shows the supported values: - 0 – Not allowed or not configured. - 1 – Allowed. Accepts updates received through Microsoft Update. - +
    @@ -724,12 +729,14 @@ Supported values are 15, 30, 60, 120, and 240 (minutes). Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. + + The following list shows the supported values: - 1 (default) – Auto Dismissal. - 2 – User Dismissal. - +
    @@ -1388,12 +1395,14 @@ The default value is 7 days. Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. + + The following list shows the supported values: - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. - +
    @@ -1439,12 +1448,14 @@ Added in the April service release of Windows 10, version 1607. Allows Windows U > [!NOTE] > This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + + The following list shows the supported values: - 0 (default) – Disabled. - 1 – Enabled. - +
    @@ -1556,10 +1567,6 @@ Added in Windows 10, version 1703. Specifies whether to ignore the MO download > Setting this policy might cause devices to incur costs from MO operators. -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` 3. Verify that any downloads that are above the download size limit will complete without being paused. @@ -1572,6 +1579,13 @@ The following list shows the supported values: - 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. + +To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: + +
    @@ -1614,13 +1628,15 @@ The following list shows the supported values: Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. + + The following list shows the supported values: - 0 - Disable Preview builds - 1 - Disable Preview builds once the next release is public - 2 - Enable Preview builds - +
    @@ -1667,16 +1683,19 @@ The following list shows the supported values: Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. -The following list shows the supported values: - -- 0 (default) – Deferrals are not paused. -- 1 – Deferrals are paused. If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +The following list shows the supported values: + +- 0 (default) – Deferrals are not paused. +- 1 – Deferrals are paused. + +
    @@ -1722,12 +1741,14 @@ Since this policy is not blocked, you will not get a failure message when you us Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. + + The following list shows the supported values: - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - +
    @@ -1815,12 +1836,14 @@ Value type is string. Supported operations are Add, Get, Delete, and Replace. Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. + + The following list shows the supported values: - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - +
    @@ -1923,12 +1946,14 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd Allows the IT admin to set a device to Semi-Annual Channel train. + + The following list shows the supported values: - 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). - 1 – User gets upgrades from Semi-Annual Channel. - +
    @@ -1977,12 +2002,14 @@ Allows the IT admin to restrict the updates that are installed on a device to on Supported operations are Get and Replace. + + The following list shows the supported values: - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - +
    @@ -2131,6 +2158,8 @@ The data type is a integer. Supported operations are Add, Delete, Get, and Replace. + + The following list shows the supported values: - 0 (default) – Every day @@ -2142,7 +2171,7 @@ The following list shows the supported values: - 6 – Friday - 7 – Saturday - +
    @@ -2475,12 +2504,14 @@ The default value is 3. Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + + The following list shows the supported values: - 0 (default) – Enabled - 1 – Disabled - +
    @@ -2523,12 +2554,14 @@ The following list shows the supported values: Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. + + The following list shows the supported values: - 0 - not configured - 1 - configured - +
    @@ -2576,11 +2609,15 @@ Allows the device to check for updates from a WSUS server instead of Microsoft U Supported operations are Get and Replace. + + The following list shows the supported values: - Not configured. The device checks for updates from Microsoft Update. - Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. + + Example ``` syntax @@ -2599,7 +2636,7 @@ Example ``` - +
    diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 78fb5ed4b9..a7f22fe4fc 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -166,12 +166,14 @@ Value type is string. Supported operations are Add, Get, Replace and Delete. Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. + + Valid values: - 0 - (Disable) The users can see the display of the Account protection area in Windows Defender Security Center. - 1 - (Enable) The users cannot see the display of the Account protection area in Windows Defender Security Center. - +
    @@ -266,12 +268,14 @@ The following list shows the supported values: Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. + + Valid values: - 0 - (Disable) The users can see the display of the Device security area in Windows Defender Security Center. - 1 - (Enable) The users cannot see the display of the Device secuirty area in Windows Defender Security Center. - +
    @@ -830,12 +834,14 @@ The following list shows the supported values: Added in Windows 10, next major update. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. + + Valid values: - 0 - (Disable or not configured) The Ransomware data recovery area will be visible. - 1 - (Enable) The Ransomware data recovery area is hidden. - +
    @@ -878,12 +884,14 @@ Valid values: Added in Windows 10, next major update. Use this policy to hide the Secure boot area in the Windows Defender Security Center. + + Valid values: - 0 - (Disable or not configured) The Secure boot area is displayed. - 1 - (Enable) The Secure boot area is hidden. - +
    @@ -926,12 +934,14 @@ Valid values: Added in Windows 10, next major update. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center. + + Valid values: - 0 - (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed. - 1 - (Enable) The Security processor (TPM) troubleshooting area is hidden. - +
    diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index eda04ac82d..69290e276b 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -118,13 +118,15 @@ The following list shows the supported values: Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. + + Value type is int. The following list shows the supported values: - 0 - access to ink workspace is disabled. The feature is turned off. - 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. - 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. - +
    diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index e0a364f38a..9679d7b3a3 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -195,11 +195,6 @@ ADMX Info: Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. -To validate on Desktop, do the following: - -1. Enable policy. -2. Verify that the Switch account button in Start is hidden. - The following list shows the supported values: @@ -208,6 +203,13 @@ The following list shows the supported values: - 1 - Enabled (hidden). + +To validate on Desktop, do the following: + +1. Enable policy. +2. Verify that the Switch account button in Start is hidden. + +