deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 2060: Merge nibr-SplitPolicyCSP-12344804 to master

Browse Source 
Splitting Policy CSP by area name.
Refreshing ADMX policies.
This commit is contained in:
Nicholas Brower 2017-07-05 21:51:22 +00:00
parent 74cbef2d12
commit b5fa1d1add
66 changed files with 34019 additions and 21547 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
windows/client-management/mdm/TOC.md
View File

@ -167,6 +167,70 @@
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
#### [ApplicationManagement](policy-csp-applicationmanagement.md)
#### [AppVirtualization](policy-csp-appvirtualization.md)
#### [AttachmentManager](policy-csp-attachmentmanager.md)
#### [Authentication](policy-csp-authentication.md)
#### [Autoplay](policy-csp-autoplay.md)
#### [Bitlocker](policy-csp-bitlocker.md)
#### [Bluetooth](policy-csp-bluetooth.md)
#### [Browser](policy-csp-browser.md)
#### [Camera](policy-csp-camera.md)
#### [Cellular](policy-csp-cellular.md)
#### [Connectivity](policy-csp-connectivity.md)
#### [CredentialProviders](policy-csp-credentialproviders.md)
#### [CredentialsUI](policy-csp-credentialsui.md)
#### [Cryptography](policy-csp-cryptography.md)
#### [DataProtection](policy-csp-dataprotection.md)
#### [DataUsage](policy-csp-datausage.md)
#### [Defender](policy-csp-defender.md)
#### [DeliveryOptimization](policy-csp-deliveryoptimization.md)
#### [Desktop](policy-csp-desktop.md)
#### [DeviceGuard](policy-csp-deviceguard.md)
#### [DeviceInstallation](policy-csp-deviceinstallation.md)
#### [DeviceLock](policy-csp-devicelock.md)
#### [Display](policy-csp-display.md)
#### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md)
#### [ErrorReporting](policy-csp-errorreporting.md)
#### [EventLogService](policy-csp-eventlogservice.md)
#### [Experience](policy-csp-experience.md)
#### [Games](policy-csp-games.md)
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [Licensing](policy-csp-licensing.md)
#### [Location](policy-csp-location.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
#### [Messaging](policy-csp-messaging.md)
#### [NetworkIsolation](policy-csp-networkisolation.md)
#### [Notifications](policy-csp-notifications.md)
#### [Power](policy-csp-power.md)
#### [Printers](policy-csp-printers.md)
#### [Privacy](policy-csp-privacy.md)
#### [RemoteAssistance](policy-csp-remoteassistance.md)
#### [RemoteDesktopServices](policy-csp-remotedesktopservices.md)
#### [RemoteManagement](policy-csp-remotemanagement.md)
#### [RemoteProcedureCall](policy-csp-remoteprocedurecall.md)
#### [RemoteShell](policy-csp-remoteshell.md)
#### [Search](policy-csp-search.md)
#### [Security](policy-csp-security.md)
#### [Settings](policy-csp-settings.md)
#### [SmartScreen](policy-csp-smartscreen.md)
#### [Speech](policy-csp-speech.md)
#### [Start](policy-csp-start.md)
#### [Storage](policy-csp-storage.md)
#### [System](policy-csp-system.md)
#### [TextInput](policy-csp-textinput.md)
#### [TimeLanguageSettings](policy-csp-timelanguagesettings.md)
#### [Update](policy-csp-update.md)
#### [Wifi](policy-csp-wifi.md)
#### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
#### [WindowsLogon](policy-csp-windowslogon.md)
#### [WirelessDisplay](policy-csp-wirelessdisplay.md)
### [PolicyManager CSP](policymanager-csp.md)
### [Provisioning CSP](provisioning-csp.md)
### [PROXY CSP](proxy-csp.md)

24694
windows/client-management/mdm/policy-configuration-service-provider.md
View File

File diff suppressed because it is too large Load Diff

145
windows/client-management/mdm/policy-csp-abovelock.md Normal file
View File

@ -0,0 +1,145 @@
---
title: Policy CSP - AboveLock
description: Policy CSP - AboveLock
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - AboveLock
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## AboveLock policies
<!--StartPolicy-->
<a href="" id="abovelock-allowactioncenternotifications"></a>**AboveLock/AllowActionCenterNotifications**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies whether to allow Action Center notifications above the device lock screen.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="abovelock-allowcortanaabovelock"></a>**AboveLock/AllowCortanaAboveLock**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or dont configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="abovelock-allowtoasts"></a>**AboveLock/AllowToasts**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow toast notifications above the device lock screen.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

186
windows/client-management/mdm/policy-csp-accounts.md Normal file
View File

@ -0,0 +1,186 @@
---
title: Policy CSP - Accounts
description: Policy CSP - Accounts
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Accounts
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Accounts policies
<!--StartPolicy-->
<a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether user is allowed to add non-MSA email accounts.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
> [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="accounts-allowmicrosoftaccountsigninassistant"></a>**Accounts/AllowMicrosoftAccountSignInAssistant**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disabled.
- 1 (default) Manual start.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="accounts-domainnamesforemailsync"></a>**Accounts/DomainNamesForEmailSync**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies a list of the domains that are allowed to sync email on the device.
<p style="margin-left: 20px">The data type is a string.
<p style="margin-left: 20px">The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Accounts policies supported by Windows Holographic for Business
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
<!--EndHoloLens-->

74
windows/client-management/mdm/policy-csp-activexcontrols.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Policy CSP - ActiveXControls
description: Policy CSP - ActiveXControls
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - ActiveXControls
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## ActiveXControls policies
<!--StartPolicy-->
<a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
Note: Wild card characters cannot be used when specifying the host URLs.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Approved Installation Sites for ActiveX Controls*
- GP name: *ApprovedActiveXInstallSites*
- GP ADMX file name: *ActiveXInstallService.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

121
windows/client-management/mdm/policy-csp-applicationdefaults.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Policy CSP - ApplicationDefaults
description: Policy CSP - ApplicationDefaults
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - ApplicationDefaults
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## ApplicationDefaults policies
<!--StartPolicy-->
<a href="" id="applicationdefaults-defaultassociationsconfiguration"></a>**ApplicationDefaults/DefaultAssociationsConfiguration**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
<p style="margin-left: 20px">If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
<p style="margin-left: 20px">To create create the SyncML, follow these steps:
<ol>
<li>Install a few apps and change your defaults.</li>
<li>From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"</li>
<li>Take the XML output and put it through your favorite base64 encoder app.</li>
<li>Paste the base64 encoded XML into the SyncML</li>
</ol>
<p style="margin-left: 20px">Here is an example output from the dism default association export command:
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
<Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
<Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
<Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
<Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
<Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
</DefaultAssociations
```
<p style="margin-left: 20px">Here is the base64 encoded result:
``` syntax
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
```
<p style="margin-left: 20px">Here is the SyncMl example:
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>101</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration</LocURI>
</Target>
<Data>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>ApplicationDefaults policies supported by Microsoft Surface Hub
- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)
<!--EndSurfaceHub-->

489
windows/client-management/mdm/policy-csp-applicationmanagement.md Normal file
View File

@ -0,0 +1,489 @@
---
title: Policy CSP - ApplicationManagement
description: Policy CSP - ApplicationManagement
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - ApplicationManagement
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## ApplicationManagement policies
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowalltrustedapps"></a>**ApplicationManagement/AllowAllTrustedApps**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether non Windows Store apps are allowed.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Explicit deny.
- 1 Explicit allow unlock.
- 65535 (default) Not configured.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowappstoreautoupdate"></a>**ApplicationManagement/AllowAppStoreAutoUpdate**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether automatic update of apps from Windows Store are allowed.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowdeveloperunlock"></a>**ApplicationManagement/AllowDeveloperUnlock**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether developer unlock is allowed.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Explicit deny.
- 1 Explicit allow unlock.
- 65535 (default) Not configured.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowgamedvr"></a>**ApplicationManagement/AllowGameDVR**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies whether DVR and broadcasting is allowed.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowshareduserappdata"></a>**ApplicationManagement/AllowSharedUserAppData**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether multiple users of the same app can share data.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not allowed.
- 1 Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowstore"></a>**ApplicationManagement/AllowStore**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether app store is allowed at the device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-applicationrestrictions"></a>**ApplicationManagement/ApplicationRestrictions**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
 
<p style="margin-left: 20px">An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
> [!NOTE]
> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
>
> Here's additional guidance for the upgrade process:
>
> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
> - In the SyncML, you must use lowercase product ID.
> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
<p style="margin-left: 20px">An application that is running may not be immediately terminated.
<p style="margin-left: 20px">Value type is chr.
<p style="margin-left: 20px">Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-disablestoreoriginatedapps"></a>**ApplicationManagement/DisableStoreOriginatedApps**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Enable launch of apps.
- 1 Disable launch of apps.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-requireprivatestoreonly"></a>**ApplicationManagement/RequirePrivateStoreOnly**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows disabling of the retail catalog and only enables the Private store.
> [!IMPORTANT]
> This node must be accessed using the following paths:
>
> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy.
> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Allow both public and Private store.
- 1 Only Private store is enabled.
<p style="margin-left: 20px">This is a per user policy.
<p style="margin-left: 20px">Most restricted value is 1.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-restrictappdatatosystemvolume"></a>**ApplicationManagement/RestrictAppDataToSystemVolume**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether application data is restricted to the system drive.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not restricted.
- 1 Restricted.
<p style="margin-left: 20px">Most restricted value is 1.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="applicationmanagement-restrictapptosystemvolume"></a>**ApplicationManagement/RestrictAppToSystemVolume**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether the installation of applications is restricted to the system drive.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not restricted.
- 1 Restricted.
<p style="margin-left: 20px">Most restricted value is 1.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>ApplicationManagement policies supported by Windows Holographic for Business
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
<!--EndHoloLens-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>ApplicationManagement policies supported by IoT Core
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
<!--EndIoTCore-->

1194
windows/client-management/mdm/policy-csp-appvirtualization.md Normal file
View File

File diff suppressed because it is too large Load Diff

162
windows/client-management/mdm/policy-csp-attachmentmanager.md Normal file
View File

@ -0,0 +1,162 @@
---
title: Policy CSP - AttachmentManager
description: Policy CSP - AttachmentManager
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - AttachmentManager
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## AttachmentManager policies
<!--StartPolicy-->
<a href="" id="attachmentmanager-donotpreservezoneinformation"></a>**AttachmentManager/DoNotPreserveZoneInformation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
If you enable this policy setting, Windows does not mark file attachments with their zone information.
If you disable this policy setting, Windows marks file attachments with their zone information.
If you do not configure this policy setting, Windows marks file attachments with their zone information.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="attachmentmanager-hidezoneinfomechanism"></a>**AttachmentManager/HideZoneInfoMechanism**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
If you enable this policy setting, Windows hides the check box and Unblock button.
If you disable this policy setting, Windows shows the check box and Unblock button.
If you do not configure this policy setting, Windows hides the check box and Unblock button.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="attachmentmanager-notifyantivirusprograms"></a>**AttachmentManager/NotifyAntivirusPrograms**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

165
windows/client-management/mdm/policy-csp-authentication.md Normal file
View File

@ -0,0 +1,165 @@
---
title: Policy CSP - Authentication
description: Policy CSP - Authentication
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Authentication
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Authentication policies
<!--StartPolicy-->
<a href="" id="authentication-alloweapcertsso"></a>**Authentication/AllowEAPCertSSO**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
> [!IMPORTANT]
> This node must be accessed using the following paths:
>
> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy.
> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="authentication-allowfastreconnect"></a>**Authentication/AllowFastReconnect**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="authentication-allowsecondaryauthenticationdevice"></a>**Authentication/AllowSecondaryAuthenticationDevice**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 Allowed.
<p style="margin-left: 20px">The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Authentication policies supported by Windows Holographic for Business
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
<!--EndHoloLens-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Authentication policies supported by IoT Core
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
<!--EndIoTCore-->

175
windows/client-management/mdm/policy-csp-autoplay.md Normal file
View File

@ -0,0 +1,175 @@
---
title: Policy CSP - Autoplay
description: Policy CSP - Autoplay
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Autoplay
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Autoplay policies
<!--StartPolicy-->
<a href="" id="autoplay-disallowautoplayfornonvolumedevices"></a>**Autoplay/DisallowAutoplayForNonVolumeDevices**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting disallows AutoPlay for MTP devices like cameras or phones.
If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="autoplay-setdefaultautorunbehavior"></a>**Autoplay/SetDefaultAutoRunBehavior**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting sets the default behavior for Autorun commands.
Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.
This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:
a) Completely disable autorun commands, or
b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.
If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="autoplay-turnoffautoplay"></a>**Autoplay/TurnOffAutoPlay**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to turn off the Autoplay feature.
Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.
Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.
If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
If you disable or do not configure this policy setting, AutoPlay is enabled.
Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off Autoplay*
- GP name: *Autorun*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

71
windows/client-management/mdm/policy-csp-bitlocker.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Policy CSP - Bitlocker
description: Policy CSP - Bitlocker
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Bitlocker
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Bitlocker policies
<!--StartPolicy-->
<a href="" id="bitlocker-encryptionmethod"></a>**Bitlocker/EncryptionMethod**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the BitLocker Drive Encryption method and cipher strength.
> [!NOTE]
> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
<p style="margin-left: 20px">The following list shows the supported values:
- 3 - AES-CBC 128-bit
- 4 - AES-CBC 256-bit
- 6 - XTS-AES 128-bit (Desktop only)
- 7 - XTS-AES 256-bit (Desktop only)
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

241
windows/client-management/mdm/policy-csp-bluetooth.md Normal file
View File

@ -0,0 +1,241 @@
---
title: Policy CSP - Bluetooth
description: Policy CSP - Bluetooth
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Bluetooth
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Bluetooth policies
<!--StartPolicy-->
<a href="" id="bluetooth-allowadvertising"></a>**Bluetooth/AllowAdvertising**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether the device can send out Bluetooth advertisements.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral.
- 1 (default) Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 1 (Allow) is used.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="bluetooth-allowdiscoverablemode"></a>**Bluetooth/AllowDiscoverableMode**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether other Bluetooth-enabled devices can discover the device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device.
- 1 (default) Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 1 (Allow) is used.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="bluetooth-allowprepairing"></a>**Bluetooth/AllowPrepairing**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="bluetooth-localdevicename"></a>**Bluetooth/LocalDeviceName**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Sets the local Bluetooth device name.
<p style="margin-left: 20px">If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
<p style="margin-left: 20px">If this policy is not set or it is deleted, the default local radio name is used.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="bluetooth-servicesallowedlist"></a>**Bluetooth/ServicesAllowedList**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
<p style="margin-left: 20px">The default value is an empty string.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Bluetooth policies supported by Windows Holographic for Business
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
<!--EndHoloLens-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Bluetooth policies supported by IoT Core
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Bluetooth policies supported by Microsoft Surface Hub
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
<!--EndSurfaceHub-->

1436
windows/client-management/mdm/policy-csp-browser.md Normal file
View File

File diff suppressed because it is too large Load Diff

86
windows/client-management/mdm/policy-csp-camera.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Policy CSP - Camera
description: Policy CSP - Camera
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Camera
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Camera policies
<!--StartPolicy-->
<a href="" id="camera-allowcamera"></a>**Camera/AllowCamera**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Disables or enables the camera.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartEAS-->
## <a href="" id="eas"></a>Camera policies that can be set using Exchange Active Sync (EAS)
- [Camera/AllowCamera](#camera-allowcamera)
<!--EndEAS-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Camera policies supported by IoT Core
- [Camera/AllowCamera](#camera-allowcamera)
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Camera policies supported by Microsoft Surface Hub
- [Camera/AllowCamera](#camera-allowcamera)
<!--EndSurfaceHub-->

43
windows/client-management/mdm/policy-csp-cellular.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Policy CSP - Cellular
description: Policy CSP - Cellular
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Cellular
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Cellular policies
<!--StartPolicy-->
<a href="" id="None"></a>**Cellular/ShowAppCellularAccessUI**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

485
windows/client-management/mdm/policy-csp-connectivity.md Normal file
View File

@ -0,0 +1,485 @@
---
title: Policy CSP - Connectivity
description: Policy CSP - Connectivity
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Connectivity
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Connectivity policies
<!--StartPolicy-->
<a href="" id="connectivity-allowbluetooth"></a>**Connectivity/AllowBluetooth**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to enable Bluetooth or restrict access.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
- 1 Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
> [!NOTE]
>  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
- 2 (default) Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 2 (Allow) is used.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-allowcellulardata"></a>**Connectivity/AllowCellularData**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511.
- 1 (default) Allow the cellular data channel. The user can turn it off.
- 2 - Allow the cellular data channel. The user cannot turn it off.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-allowcellulardataroaming"></a>**Connectivity/AllowCellularDataRoaming**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511.
- 1 (default) Allow cellular data roaming.
- 2 - Allow cellular data roaming on. The user cannot turn it off.
<p style="margin-left: 20px">Most restricted value is 0.
<p style="margin-left: 20px">To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
<p style="margin-left: 20px">To validate on mobile devices, do the following:
1. Go to Cellular & SIM.
2. Click on the SIM (next to the signal strength icon) and select **Properties**.
3. On the Properties page, select **Data roaming options**.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-allowconnecteddevices"></a>**Connectivity/AllowConnectedDevices**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy requires reboot to take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
<p style="margin-left: 20px">The following list shows the supported values:
- 1 (default) - Allow (CDP service available).
- 0 - Disable (CDP service not available).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-allownfc"></a>**Connectivity/AllowNFC**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Allows or disallows near field communication (NFC) on the device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Do not allow NFC capabilities.
- 1 (default) Allow NFC capabilities.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
<p style="margin-left: 20px">Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-allowvpnovercellular"></a>**Connectivity/AllowVPNOverCellular**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies what type of underlying connections VPN is allowed to use.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 VPN is not allowed over cellular.
- 1 (default) VPN can use any connection, including cellular.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-allowvpnroamingovercellular"></a>**Connectivity/AllowVPNRoamingOverCellular**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Prevents the device from connecting to VPN when the device roams over cellular networks.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**Connectivity/DiablePrintingOverHTTP**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_2*
- GP ADMX file name: *ICM.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_2*
- GP ADMX file name: *ICM.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_2*
- GP ADMX file name: *ICM.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="connectivity-hardeneduncpaths"></a>**Connectivity/HardenedUNCPaths**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting configures secure access to UNC paths.
If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP ADMX file name: *networkprovider.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP ADMX file name: *NetworkConnections.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartEAS-->
## <a href="" id="eas"></a>Connectivity policies that can be set using Exchange Active Sync (EAS)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
<!--EndEAS-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Connectivity policies supported by Windows Holographic for Business
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
<!--EndHoloLens-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Connectivity policies supported by IoT Core
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
- [Connectivity/AllowNFC](#connectivity-allownfc)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Connectivity policies supported by Microsoft Surface Hub
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
<!--EndSurfaceHub-->

162
windows/client-management/mdm/policy-csp-credentialproviders.md Normal file
View File

@ -0,0 +1,162 @@
---
title: Policy CSP - CredentialProviders
description: Policy CSP - CredentialProviders
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - CredentialProviders
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## CredentialProviders policies
<!--StartPolicy-->
<a href="" id="credentialproviders-allowpinlogon"></a>**CredentialProviders/AllowPINLogon**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
Note: The user's domain password will be cached in the system vault when using this feature.
To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn on convenience PIN sign-in*
- GP name: *AllowDomainPINLogon*
- GP ADMX file name: *credentialproviders.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="credentialproviders-blockpicturepassword"></a>**CredentialProviders/BlockPicturePassword**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to control whether a domain user can sign in using a picture password.
If you enable this policy setting, a domain user can't set up or sign in with a picture password.
If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
Note that the user's domain password will be cached in the system vault when using this feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off picture password sign-in*
- GP name: *BlockDomainPicturePassword*
- GP ADMX file name: *credentialproviders.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="credentialproviders-enablewindowsautopilotresetcredentials"></a>**CredentialProviders/EnableWindowsAutoPilotResetCredentials**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
Default value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>CredentialProviders policies supported by IoT Core
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
<!--EndIoTCore-->

118
windows/client-management/mdm/policy-csp-credentialsui.md Normal file
View File

@ -0,0 +1,118 @@
---
title: Policy CSP - CredentialsUI
description: Policy CSP - CredentialsUI
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - CredentialsUI
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## CredentialsUI policies
<!--StartPolicy-->
<a href="" id="credentialsui-disablepasswordreveal"></a>**CredentialsUI/DisablePasswordReveal**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
- GP ADMX file name: *credui.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="credentialsui-enumerateadministrators"></a>**CredentialsUI/EnumerateAdministrators**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
If you disable this policy setting, users will always be required to type a user name and password to elevate.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
- GP ADMX file name: *credui.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

104
windows/client-management/mdm/policy-csp-cryptography.md Normal file
View File

@ -0,0 +1,104 @@
---
title: Policy CSP - Cryptography
description: Policy CSP - Cryptography
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Cryptography
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Cryptography policies
<!--StartPolicy-->
<a href="" id="cryptography-allowfipsalgorithmpolicy"></a>**Cryptography/AllowFipsAlgorithmPolicy**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not allowed.
- 1 Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="cryptography-tlsciphersuites"></a>**Cryptography/TLSCipherSuites**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Cryptography policies supported by Microsoft Surface Hub
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
<!--EndSurfaceHub-->

112
windows/client-management/mdm/policy-csp-dataprotection.md Normal file
View File

@ -0,0 +1,112 @@
---
title: Policy CSP - DataProtection
description: Policy CSP - DataProtection
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - DataProtection
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## DataProtection policies
<!--StartPolicy-->
<a href="" id="dataprotection-allowdirectmemoryaccess"></a>**DataProtection/AllowDirectMemoryAccess**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="dataprotection-legacyselectivewipeid"></a>**DataProtection/LegacySelectiveWipeID**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
 
<p style="margin-left: 20px">Setting used by Windows 8.1 Selective Wipe.
> [!NOTE]
> This policy is not recommended for use in Windows 10.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>DataProtection policies supported by IoT Core
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
<!--EndIoTCore-->

126
windows/client-management/mdm/policy-csp-datausage.md Normal file
View File

@ -0,0 +1,126 @@
---
title: Policy CSP - DataUsage
description: Policy CSP - DataUsage
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - DataUsage
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## DataUsage policies
<!--StartPolicy-->
<a href="" id="datausage-setcost3g"></a>**DataUsage/SetCost3G**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting configures the cost of 3G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Set 3G Cost*
- GP name: *SetCost3G*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="datausage-setcost4g"></a>**DataUsage/SetCost4G**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting configures the cost of 4G connections on the local machine.
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis.
If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Set 4G Cost*
- GP name: *SetCost4G*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

1490
windows/client-management/mdm/policy-csp-defender.md Normal file
View File

File diff suppressed because it is too large Load Diff

654
windows/client-management/mdm/policy-csp-deliveryoptimization.md Normal file
View File

@ -0,0 +1,654 @@
---
title: Policy CSP - DeliveryOptimization
description: Policy CSP - DeliveryOptimization
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - DeliveryOptimization
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## DeliveryOptimization policies
<!--StartPolicy-->
<a href="" id="deliveryoptimization-doabsolutemaxcachesize"></a>**DeliveryOptimization/DOAbsoluteMaxCacheSize**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
<p style="margin-left: 20px">The default value is 10.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-doallowvpnpeercaching"></a>**DeliveryOptimization/DOAllowVPNPeerCaching**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
<p style="margin-left: 20px">The default value is 0 (FALSE).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dodownloadmode"></a>**DeliveryOptimization/DODownloadMode**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 HTTP only, no peering.
- 1 (default) HTTP blended with peering behind the same NAT.
- 2 HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 HTTP blended with Internet peering.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dogroupid"></a>**DeliveryOptimization/DOGroupId**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
> [!NOTE]
> You must use a GUID as the group ID.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxcacheage"></a>**DeliveryOptimization/DOMaxCacheAge**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
<p style="margin-left: 20px">The default value is 259200 seconds (3 days).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxcachesize"></a>**DeliveryOptimization/DOMaxCacheSize**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
 
<p style="margin-left: 20px">Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
<p style="margin-left: 20px">The default value is 20.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxdownloadbandwidth"></a>**DeliveryOptimization/DOMaxDownloadBandwidth**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
 
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
<p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxuploadbandwidth"></a>**DeliveryOptimization/DOMaxUploadBandwidth**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
 
<p style="margin-left: 20px">Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
<p style="margin-left: 20px">The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominbackgroundqos"></a>**DeliveryOptimization/DOMinBackgroundQos**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
<p style="margin-left: 20px">The default value is 500.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominbatterypercentageallowedtoupload"></a>**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
<p style="margin-left: 20px">The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domindisksizeallowedtopeer"></a>**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
<p style="margin-left: 20px">The default value is 32 GB.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominfilesizetocache"></a>**DeliveryOptimization/DOMinFileSizeToCache**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
<p style="margin-left: 20px">The default value is 100 MB.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominramallowedtopeer"></a>**DeliveryOptimization/DOMinRAMAllowedToPeer**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
<p style="margin-left: 20px">The default value is 4 GB.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domodifycachedrive"></a>**DeliveryOptimization/DOModifyCacheDrive**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
<p style="margin-left: 20px">By default, %SystemDrive% is used to store the cache.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domonthlyuploaddatacap"></a>**DeliveryOptimization/DOMonthlyUploadDataCap**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
<p style="margin-left: 20px">The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
<p style="margin-left: 20px">The default value is 20.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dopercentagemaxdownloadbandwidth"></a>**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
 
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
<p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>DeliveryOptimization policies supported by Microsoft Surface Hub
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
<!--EndSurfaceHub-->

78
windows/client-management/mdm/policy-csp-desktop.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Policy CSP - Desktop
description: Policy CSP - Desktop
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Desktop
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Desktop policies
<!--StartPolicy-->
<a href="" id="desktop-preventuserredirectionofprofilefolders"></a>**Desktop/PreventUserRedirectionOfProfileFolders**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
If you enable this setting, users are unable to type a new location in the Target box.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Prohibit User from manually redirecting Profile Folders*
- GP name: *DisablePersonalDirChange*
- GP ADMX file name: *desktop.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Desktop policies supported by Microsoft Surface Hub
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
<!--EndSurfaceHub-->

147
windows/client-management/mdm/policy-csp-deviceguard.md Normal file
View File

@ -0,0 +1,147 @@
---
title: Policy CSP - DeviceGuard
description: Policy CSP - DeviceGuard
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - DeviceGuard
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## DeviceGuard policies
<!--StartPolicy-->
<a href="" id="deviceguard-enablevirtualizationbasedsecurity"></a>**DeviceGuard/EnableVirtualizationBasedSecurity**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
 
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values:
<ul>
<li>0 (default) - disable virtualization based security</li>
<li>1 - enable virtualization based security</li>
</ul>
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deviceguard-lsacfgflags"></a>**DeviceGuard/LsaCfgFlags**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
 
<p style="margin-left: 20px">Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values:
<ul>
<li>0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock</li>
<li>1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock</li>
<li>2 - (Enabled without lock) Turns on Credential Guard without UEFI lock</li>
</ul>
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deviceguard-requireplatformsecurityfeatures"></a>**DeviceGuard/RequirePlatformSecurityFeatures**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
<ul>
<li>1 (default) - Turns on VBS with Secure Boot. </li>
<li>3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.</li>
</ul>
 
<p style="margin-left: 20px">
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>DeviceGuard policies supported by Microsoft Surface Hub
- [DeviceGuard/AllowKernelControlFlowGuard](#None)
<!--EndSurfaceHub-->

114
windows/client-management/mdm/policy-csp-deviceinstallation.md Normal file
View File

@ -0,0 +1,114 @@
---
title: Policy CSP - DeviceInstallation
description: Policy CSP - DeviceInstallation
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - DeviceInstallation
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## DeviceInstallation policies
<!--StartPolicy-->
<a href="" id="deviceinstallation-preventinstallationofmatchingdeviceids"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
- GP ADMX file name: *deviceinstallation.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
- GP ADMX file name: *deviceinstallation.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

841
windows/client-management/mdm/policy-csp-devicelock.md Normal file
View File

@ -0,0 +1,841 @@
---
title: Policy CSP - DeviceLock
description: Policy CSP - DeviceLock
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - DeviceLock
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## DeviceLock policies
<!--StartPolicy-->
<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
 
<p style="margin-left: 20px">Specifies whether the user must input a PIN or password when the device resumes from an idle state.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
 
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
 
<p style="margin-left: 20px">Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not allowed.
- 1 Allowed.
> [!IMPORTANT]
> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-allowsimpledevicepassword"></a>**DeviceLock/AllowSimpleDevicePassword**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-alphanumericdevicepasswordrequired"></a>**DeviceLock/AlphanumericDevicePasswordRequired**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Alphanumeric PIN or password required.
- 1 Numeric PIN or password required.
- 2 (default) Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
> [!NOTE]
> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
>
> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
 
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-devicepasswordenabled"></a>**DeviceLock/DevicePasswordEnabled**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether device lock is enabled.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
 
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
> [!IMPORTANT]
> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
>
> - AllowSimpleDevicePassword
> - MinDevicePasswordLength
> - AlphanumericDevicePasswordRequired
> - MaxDevicePasswordFailedAttempts
> - MaxInactivityTimeDeviceLock
> - MinDevicePasswordComplexCharacters
&nbsp;
> [!IMPORTANT]
> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
>
> - MinDevicePasswordLength is set to 4
> - MinDevicePasswordComplexCharacters is set to 1
>
> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
>
> - MinDevicePasswordLength
> - MinDevicePasswordComplexCharacters
> [!Important]
> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
> - **DevicePasswordEnabled** is the parent policy of the following:
> - AllowSimpleDevicePassword
> - MinDevicePasswordLength
> - AlphanumericDevicePasswordRequired
> - MinDevicePasswordComplexCharacters 
> - DevicePasswordExpiration
> - DevicePasswordHistory
> - MaxDevicePasswordFailedAttempts
> - MaxInactivityTimeDeviceLock
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-devicepasswordexpiration"></a>**DeviceLock/DevicePasswordExpiration**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies when the password expires (in days).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
<p style="margin-left: 20px">The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 730.
- 0 (default) - Passwords do not expire.
<p style="margin-left: 20px">If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-devicepasswordhistory"></a>**DeviceLock/DevicePasswordHistory**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies how many passwords can be stored in the history that cant be used.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
<p style="margin-left: 20px">The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 50.
- 0 (default)
<p style="margin-left: 20px">The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
<p style="margin-left: 20px">Max policy value is the most restricted.
<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-enforcelockscreenandlogonimage"></a>**DeviceLock/EnforceLockScreenAndLogonImage**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
> [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
<p style="margin-left: 20px">Value type is a string, which is the full image filepath and filename.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-enforcelockscreenprovider"></a>**DeviceLock/EnforceLockScreenProvider**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
> [!NOTE]
> This policy is only enforced in Windows 10 for mobile devices.
<p style="margin-left: 20px">Value type is a string, which is the AppID.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-maxdevicepasswordfailedattempts"></a>**DeviceLock/MaxDevicePasswordFailedAttempts**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
<p style="margin-left: 20px">This policy has different behaviors on the mobile device and desktop.
- On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
<p style="margin-left: 20px">The following list shows the supported values:
- An integer X where 4 &lt;= X &lt;= 16 for desktop and 0 &lt;= X &lt;= 999 for mobile devices.
- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
<p style="margin-left: 20px">Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-maxinactivitytimedevicelock"></a>**DeviceLock/MaxInactivityTimeDeviceLock**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
<p style="margin-left: 20px">The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-maxinactivitytimedevicelockwithexternaldisplay"></a>**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
<p style="margin-left: 20px">The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-mindevicepasswordcomplexcharacters"></a>**DeviceLock/MinDevicePasswordComplexCharacters**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
<p style="margin-left: 20px">PIN enforces the following behavior for desktop and mobile devices:
- 1 - Digits only
- 2 - Digits and lowercase letters are required
- 3 - Digits, lowercase letters, and uppercase letters are required
- 4 - Digits, lowercase letters, uppercase letters, and special characters are required
<p style="margin-left: 20px">The default value is 1. The following list shows the supported values and actual enforced values:
<table style="margin-left: 20px">
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Account Type</th>
<th>Supported Values</th>
<th>Actual Enforced Values</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>Mobile</p></td>
<td style="vertical-align:top"><p>1,2,3,4</p></td>
<td style="vertical-align:top"><p>Same as the value set</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Desktop Local Accounts</p></td>
<td style="vertical-align:top"><p> 1,2,3</p></td>
<td style="vertical-align:top"><p>3</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Desktop Microsoft Accounts</p></td>
<td style="vertical-align:top"><p>1,2</p></td>
<td style="vertical-align:top"><p2</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Desktop Domain Accounts</p></td>
<td style="vertical-align:top"><p>Not supported</p></td>
<td style="vertical-align:top">Not supported</p></td>
</tr>
</tbody>
</table>
<p style="margin-left: 20px">Enforced values for Local and Microsoft Accounts:
- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
- Passwords for local accounts must meet the following minimum requirements:
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Special characters (!, $, \#, %, etc.)
<p style="margin-left: 20px">The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-mindevicepasswordlength"></a>**DeviceLock/MinDevicePasswordLength**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the minimum number or characters required in the PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
<p style="margin-left: 20px">The following list shows the supported values:
- An integer X where 4 &lt;= X &lt;= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
- Not enforced.
- The default value is 4 for mobile devices and desktop devices.
<p style="margin-left: 20px">Max policy value is the most restricted.
<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-preventlockscreenslideshow"></a>**DeviceLock/PreventLockScreenSlideShow**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
By default, users can enable a slide show that will run after they lock the machine.
If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
- GP ADMX file name: *ControlPanelDisplay.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="devicelock-screentimeoutwhilelocked"></a>**DeviceLock/ScreenTimeoutWhileLocked**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
 
<p style="margin-left: 20px">Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
<p style="margin-left: 20px">Minimum supported value is 10.
<p style="margin-left: 20px">Maximum supported value is 1800.
<p style="margin-left: 20px">The default value is 10.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartEAS-->
## <a href="" id="eas"></a>DeviceLock policies that can be set using Exchange Active Sync (EAS)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow)
<!--EndEAS-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>DeviceLock policies supported by Windows Holographic for Business
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
<!--EndHoloLens-->

118
windows/client-management/mdm/policy-csp-display.md Normal file
View File

@ -0,0 +1,118 @@
---
title: Policy CSP - Display
description: Policy CSP - Display
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Display
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Display policies
<!--StartPolicy-->
<a href="" id="display-turnoffgdidpiscalingforapps"></a>**Display/TurnOffGdiDPIScalingForApps**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
<p style="margin-left: 20px">This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
<p style="margin-left: 20px">If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
<p style="margin-left: 20px">If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
<p style="margin-left: 20px">To validate on Desktop, do the following:
1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
2. Run the app and observe blurry text.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="display-turnongdidpiscalingforapps"></a>**Display/TurnOnGdiDPIScalingForApps**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
<p style="margin-left: 20px">This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
<p style="margin-left: 20px">If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
<p style="margin-left: 20px">If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
<p style="margin-left: 20px">To validate on Desktop, do the following:
1. Configure the setting for an app which uses GDI.
2. Run the app and observe crisp text.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

240
windows/client-management/mdm/policy-csp-enterprisecloudprint.md Normal file
View File

@ -0,0 +1,240 @@
---
title: Policy CSP - EnterpriseCloudPrint
description: Policy CSP - EnterpriseCloudPrint
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - EnterpriseCloudPrint
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## EnterpriseCloudPrint policies
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprintoauthauthority"></a>**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//azuretenant.contoso.com/adfs".
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprintoauthclientid"></a>**EnterpriseCloudPrint/CloudPrintOAuthClientId**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprintresourceid"></a>**EnterpriseCloudPrint/CloudPrintResourceId**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MicrosoftEnterpriseCloudPrint/CloudPrint".
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprinterdiscoveryendpoint"></a>**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//cloudprinterdiscovery.contoso.com".
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-discoverymaxprinterlimit"></a>**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
<p style="margin-left: 20px">The datatype is an integer.
<p style="margin-left: 20px">For Windows Mobile, the default value is 20.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-mopriadiscoveryresourceid"></a>**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MopriaDiscoveryService/CloudPrint".
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

254
windows/client-management/mdm/policy-csp-errorreporting.md Normal file
View File

@ -0,0 +1,254 @@
---
title: Policy CSP - ErrorReporting
description: Policy CSP - ErrorReporting
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - ErrorReporting
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## ErrorReporting policies
<!--StartPolicy-->
<a href="" id="errorreporting-customizeconsentsettings"></a>**ErrorReporting/CustomizeConsentSettings**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
- 4 (Send all data): Any data requested by Microsoft is sent automatically.
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Customize consent settings*
- GP name: *WerConsentCustomize_2*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="errorreporting-disablewindowserrorreporting"></a>**ErrorReporting/DisableWindowsErrorReporting**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="errorreporting-displayerrornotification"></a>**ErrorReporting/DisplayErrorNotification**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls whether users are shown an error dialog box that lets them report an error.
If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
See also the Configure Error Reporting policy setting.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Display Error Notification*
- GP name: *PCH_ShowUI*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="errorreporting-donotsendadditionaldata"></a>**ErrorReporting/DoNotSendAdditionalData**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="errorreporting-preventcriticalerrordisplay"></a>**ErrorReporting/PreventCriticalErrorDisplay**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting prevents the display of the user interface for critical errors.
If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

200
windows/client-management/mdm/policy-csp-eventlogservice.md Normal file
View File

@ -0,0 +1,200 @@
---
title: Policy CSP - EventLogService
description: Policy CSP - EventLogService
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - EventLogService
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## EventLogService policies
<!--StartPolicy-->
<a href="" id="eventlogservice-controleventlogbehavior"></a>**EventLogService/ControlEventLogBehavior**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="eventlogservice-specifymaximumfilesizeapplicationlog"></a>**EventLogService/SpecifyMaximumFileSizeApplicationLog**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="eventlogservice-specifymaximumfilesizesecuritylog"></a>**EventLogService/SpecifyMaximumFileSizeSecurityLog**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="eventlogservice-specifymaximumfilesizesystemlog"></a>**EventLogService/SpecifyMaximumFileSizeSystemLog**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

782
windows/client-management/mdm/policy-csp-experience.md Normal file
View File

@ -0,0 +1,782 @@
---
title: Policy CSP - Experience
description: Policy CSP - Experience
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Experience
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Experience policies
<!--StartPolicy-->
<a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies whether copy and paste is allowed.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether Cortana is allowed on the device. If you enable or dont configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<p style="margin-left: 20px">Benefit to the customer:
<p style="margin-left: 20px">Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive.
<p style="margin-left: 20px">Sample scenario:
<p style="margin-left: 20px">An enterprise employee customer is going through OOBE and enjoys Cortanas help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowdevicediscovery"></a>**Experience/AllowDeviceDiscovery**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows users to turn on/off device discovery UX.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowmanualmdmunenrollment"></a>**Experience/AllowManualMDMUnenrollment**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow the user to delete the workplace account using the workplace control panel.
> [!NOTE]
> The MDM server can always remotely delete the account.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies whether to display dialog prompt when no SIM card is detected.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 SIM card dialog prompt is not displayed.
- 1 (default) SIM card dialog prompt is displayed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies whether screen capture is allowed.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Sync settings is not allowed.
- 1 (default) Sync settings allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
<p style="margin-left: 20px">Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowtaskswitcher"></a>**Experience/AllowTaskSwitcher**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Allows or disallows task switching on the device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Task switching not allowed.
- 1 (default) Task switching allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowthirdpartysuggestionsinwindowsspotlight"></a>**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p style="margin-left: 20px">Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Third-party suggestions not allowed.
- 1 (default) Third-party suggestions allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies whether voice recording is allowed for apps.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowwindowsconsumerfeatures"></a>**Experience/AllowWindowsConsumerFeatures**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
> [!IMPORTANT]
> This node must be accessed using the following paths:
>
> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy.
> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result.
 
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlight"></a>**Experience/AllowWindowsSpotlight**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
<p style="margin-left: 20px">Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-allowwindowstips"></a>**Experience/AllowWindowsTips**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Enables or disables Windows Tips / soft landing.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disabled.
- 1 (default) Enabled.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
<p style="margin-left: 20px">Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 None.
- 1 (default) Windows spotlight enabled.
- 2 placeholder only for future extension. Using this value has no effect.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Prevents devices from showing feedback questions from Microsoft.
<p style="margin-left: 20px">If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
- 1 Feedback notifications are disabled.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Experience policies supported by Windows Holographic for Business
- [Experience/AllowCortana](#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
<!--EndHoloLens-->

61
windows/client-management/mdm/policy-csp-games.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Policy CSP - Games
description: Policy CSP - Games
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Games
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Games policies
<!--StartPolicy-->
<a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Placeholder only. Currently not supported.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

8012
windows/client-management/mdm/policy-csp-internetexplorer.md Normal file
View File

File diff suppressed because it is too large Load Diff

247
windows/client-management/mdm/policy-csp-kerberos.md Normal file
View File

@ -0,0 +1,247 @@
---
title: Policy CSP - Kerberos
description: Policy CSP - Kerberos
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Kerberos
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Kerberos policies
<!--StartPolicy-->
<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Use forest search order*
- GP name: *ForestSearch*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

102
windows/client-management/mdm/policy-csp-licensing.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Policy CSP - Licensing
description: Policy CSP - Licensing
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Licensing
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Licensing policies
<!--StartPolicy-->
<a href="" id="licensing-allowwindowsentitlementreactivation"></a>**Licensing/AllowWindowsEntitlementReactivation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disable Windows license reactivation on managed devices.
- 1 (default) Enable Windows license reactivation on managed devices.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="licensing-disallowkmsclientonlineavsvalidation"></a>**Licensing/DisallowKMSClientOnlineAVSValidation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Disabled.
- 1 Enabled.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

74
windows/client-management/mdm/policy-csp-location.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Policy CSP - Location
description: Policy CSP - Location
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Location
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Location policies
<!--StartPolicy-->
<a href="" id="location-enablelocation"></a>**Location/EnableLocation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
> [!IMPORTANT]
> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Disabled.
- 1 Enabled.
<p style="margin-left: 20px">To validate on Desktop, do the following:
1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

68
windows/client-management/mdm/policy-csp-lockdown.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Policy CSP - LockDown
description: Policy CSP - LockDown
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - LockDown
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## LockDown policies
<!--StartPolicy-->
<a href="" id="lockdown-allowedgeswipe"></a>**LockDown/AllowEdgeSwipe**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 - disallow edge swipe.
- 1 (default, not configured) - allow edge swipe.
<p style="margin-left: 20px">The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

108
windows/client-management/mdm/policy-csp-maps.md Normal file
View File

@ -0,0 +1,108 @@
---
title: Policy CSP - Maps
description: Policy CSP - Maps
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Maps
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Maps policies
<!--StartPolicy-->
<a href="" id="maps-allowofflinemapsdownloadovermeteredconnection"></a>**Maps/AllowOfflineMapsDownloadOverMeteredConnection**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
<p style="margin-left: 20px">The following list shows the supported values:
- 65535 (default) Not configured. User's choice.
- 0 Disabled. Force disable auto-update over metered connection.
- 1 Enabled. Force enable auto-update over metered connection.
<p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="maps-enableofflinemapsautoupdate"></a>**Maps/EnableOfflineMapsAutoUpdate**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Disables the automatic download and update of map data.
<p style="margin-left: 20px">The following list shows the supported values:
- 65535 (default) Not configured. User's choice.
- 0 Disabled. Force off auto-update.
- 1 Enabled. Force on auto-update.
<p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

144
windows/client-management/mdm/policy-csp-messaging.md Normal file
View File

@ -0,0 +1,144 @@
---
title: Policy CSP - Messaging
description: Policy CSP - Messaging
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Messaging
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Messaging policies
<!--StartPolicy-->
<a href="" id="messaging-allowmms"></a>**Messaging/AllowMMS**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 - Disabled.
- 1 (default) - Enabled.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="messaging-allowmessagesync"></a>**Messaging/AllowMessageSync**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 - message sync is not allowed and cannot be changed by the user.
- 1 - message sync is allowed. The user can change this setting.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="messaging-allowrcs"></a>**Messaging/AllowRCS**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 - Disabled.
- 1 (default) - Enabled.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

297
windows/client-management/mdm/policy-csp-networkisolation.md Normal file
View File

@ -0,0 +1,297 @@
---
title: Policy CSP - NetworkIsolation
description: Policy CSP - NetworkIsolation
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - NetworkIsolation
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## NetworkIsolation policies
<!--StartPolicy-->
<a href="" id="networkisolation-enterprisecloudresources"></a>**NetworkIsolation/EnterpriseCloudResources**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|**.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseiprange"></a>**NetworkIsolation/EnterpriseIPRange**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
``` syntax
10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff,
2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
```
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseiprangesareauthoritative"></a>**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseinternalproxyservers"></a>**NetworkIsolation/EnterpriseInternalProxyServers**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="networkisolation-enterprisenetworkdomainnames"></a>**NetworkIsolation/EnterpriseNetworkDomainNames**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
 
<p style="margin-left: 20px">Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -&gt; microsoft.com.
2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseproxyservers"></a>**NetworkIsolation/EnterpriseProxyServers**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseproxyserversareauthoritative"></a>**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="networkisolation-neutralresources"></a>**NetworkIsolation/NeutralResources**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">List of domain names that can used for work or personal resource.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

77
windows/client-management/mdm/policy-csp-notifications.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Policy CSP - Notifications
description: Policy CSP - Notifications
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Notifications
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Notifications policies
<!--StartPolicy-->
<a href="" id="notifications-disallownotificationmirroring"></a>**Notifications/DisallowNotificationMirroring**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
> [!IMPORTANT]
> This node must be accessed using the following paths:
>
> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
<p style="margin-left: 20px">For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
<p style="margin-left: 20px">No reboot or service restart is required for this policy to take effect.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) enable notification mirroring.
- 1 disable notification mirroring.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

421
windows/client-management/mdm/policy-csp-power.md Normal file
View File

@ -0,0 +1,421 @@
---
title: Policy CSP - Power
description: Policy CSP - Power
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Power
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Power policies
<!--StartPolicy-->
<a href="" id="power-allowstandbywhensleepingpluggedin"></a>**Power/AllowStandbyWhenSleepingPluggedIn**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
If you disable this policy setting, standby states (S1-S3) are not allowed.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
- GP name: *AllowStandbyStatesAC_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-displayofftimeoutonbattery"></a>**Power/DisplayOffTimeoutOnBattery**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-displayofftimeoutpluggedin"></a>**Power/DisplayOffTimeoutPluggedIn**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-hibernatetimeoutonbattery"></a>**Power/HibernateTimeoutOnBattery**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-hibernatetimeoutpluggedin"></a>**Power/HibernateTimeoutPluggedIn**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-requirepasswordwhencomputerwakesonbattery"></a>**Power/RequirePasswordWhenComputerWakesOnBattery**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Require a password when a computer wakes (on battery)*
- GP name: *DCPromptForPasswordOnResume_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-requirepasswordwhencomputerwakespluggedin"></a>**Power/RequirePasswordWhenComputerWakesPluggedIn**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Require a password when a computer wakes (plugged in)*
- GP name: *ACPromptForPasswordOnResume_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-standbytimeoutonbattery"></a>**Power/StandbyTimeoutOnBattery**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-standbytimeoutpluggedin"></a>**Power/StandbyTimeoutPluggedIn**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

184
windows/client-management/mdm/policy-csp-printers.md Normal file
View File

@ -0,0 +1,184 @@
---
title: Policy CSP - Printers
description: Policy CSP - Printers
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Printers
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Printers policies
<!--StartPolicy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
If you do not configure this policy setting:
-Windows Vista client computers can point and print to any server.
-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
If you disable this policy setting:
-Windows Vista client computers can create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions_Win7*
- GP ADMX file name: *Printing.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="printers-pointandprintrestrictions_user"></a>**Printers/PointAndPrintRestrictions_User**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
If you do not configure this policy setting:
-Windows Vista client computers can point and print to any server.
-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
If you disable this policy setting:
-Windows Vista client computers can create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
- GP ADMX file name: *Printing.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="printers-publishprinters"></a>**Printers/PublishPrinters**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Determines whether the computer's shared printers can be published in Active Directory.
If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow printers to be published*
- GP name: *PublishPrinters*
- GP ADMX file name: *Printing2.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

2556
windows/client-management/mdm/policy-csp-privacy.md Normal file
View File

File diff suppressed because it is too large Load Diff

249
windows/client-management/mdm/policy-csp-remoteassistance.md Normal file
View File

@ -0,0 +1,249 @@
---
title: Policy CSP - RemoteAssistance
description: Policy CSP - RemoteAssistance
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - RemoteAssistance
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## RemoteAssistance policies
<!--StartPolicy-->
<a href="" id="remoteassistance-customizewarningmessages"></a>**RemoteAssistance/CustomizeWarningMessages**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting lets you customize warning messages.
The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
If you disable this policy setting, the user sees the default warning message.
If you do not configure this policy setting, the user sees the default warning message.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Customize warning messages*
- GP name: *RA_Options*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remoteassistance-sessionlogging"></a>**RemoteAssistance/SessionLogging**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
If you enable this policy setting, log files are generated.
If you disable this policy setting, log files are not generated.
If you do not configure this setting, application-based settings are used.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn on session logging*
- GP name: *RA_Logging*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remoteassistance-solicitedremoteassistance"></a>**RemoteAssistance/SolicitedRemoteAssistance**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remoteassistance-unsolicitedremoteassistance"></a>**RemoteAssistance/UnsolicitedRemoteAssistance**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
<Domain Name>\<User Name> or
<Domain Name>\<Group Name>
If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
Windows Vista and later
Enable the Remote Assistance exception for the domain profile. The exception must contain:
Port 135:TCP
%WINDIR%\System32\msra.exe
%WINDIR%\System32\raserver.exe
Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
%WINDIR%\System32\Sessmgr.exe
For computers running Windows Server 2003 with Service Pack 1 (SP1)
Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
Allow Remote Desktop Exception
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

314
windows/client-management/mdm/policy-csp-remotedesktopservices.md Normal file
View File

@ -0,0 +1,314 @@
---
title: Policy CSP - RemoteDesktopServices
description: Policy CSP - RemoteDesktopServices
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - RemoteDesktopServices
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## RemoteDesktopServices policies
<!--StartPolicy-->
<a href="" id="remotedesktopservices-allowuserstoconnectremotely"></a>**RemoteDesktopServices/AllowUsersToConnectRemotely**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remotedesktopservices-clientconnectionencryptionlevel"></a>**RemoteDesktopServices/ClientConnectionEncryptionLevel**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
Important
FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remotedesktopservices-donotallowdriveredirection"></a>**RemoteDesktopServices/DoNotAllowDriveRedirection**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior.
If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remotedesktopservices-donotallowpasswordsaving"></a>**RemoteDesktopServices/DoNotAllowPasswordSaving**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Controls whether passwords can be saved on this computer from Remote Desktop Connection.
If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remotedesktopservices-requiresecurerpccommunication"></a>**RemoteDesktopServices/RequireSecureRPCCommunication**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
If the status is set to Not Configured, unsecured communication is allowed.
Note: The RPC interface is used for administering and configuring Remote Desktop Services.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

225
windows/client-management/mdm/policy-csp-remotemanagement.md Normal file
View File

@ -0,0 +1,225 @@
---
title: Policy CSP - RemoteManagement
description: Policy CSP - RemoteManagement
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - RemoteManagement
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## RemoteManagement policies
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/AllowBasicAuthentication_Client**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/AllowBasicAuthentication_Service**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/AllowCredSSPAuthenticationClient**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/AllowCredSSPAuthenticationService**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/AllowRemoteServerManagement**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/AllowUnencryptedTraffic_Client**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/AllowUnencryptedTraffic_Service**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/DisallowDigestAuthentication**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/DisallowNegotiateAuthenticationClient**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/DisallowNegotiateAuthenticationService**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/DisallowStoringOfRunAsCredentials**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/TrustedHosts**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/TurnOnCompatibilityHTTPListener**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteManagement/TurnOnCompatibilityHTTPSListener**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

130
windows/client-management/mdm/policy-csp-remoteprocedurecall.md Normal file
View File

@ -0,0 +1,130 @@
---
title: Policy CSP - RemoteProcedureCall
description: Policy CSP - RemoteProcedureCall
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - RemoteProcedureCall
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## RemoteProcedureCall policies
<!--StartPolicy-->
<a href="" id="remoteprocedurecall-rpcendpointmapperclientauthentication"></a>**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
Note: This policy will not be applied until the system is rebooted.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP ADMX file name: *rpc.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="remoteprocedurecall-restrictunauthenticatedrpcclients"></a>**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
Note: This policy setting will not be applied until the system is rebooted.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP ADMX file name: *rpc.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

121
windows/client-management/mdm/policy-csp-remoteshell.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Policy CSP - RemoteShell
description: Policy CSP - RemoteShell
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - RemoteShell
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## RemoteShell policies
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteShell/AllowRemoteShellAccess**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteShell/MaxConcurrentUsers**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteShell/SpecifyIdleTimeout**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteShell/SpecifyMaxMemory**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteShell/SpecifyMaxProcesses**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteShell/SpecifyMaxRemoteShells**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="None"></a>**RemoteShell/SpecifyShellTimeout**
<!--StartDescription-->
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

392
windows/client-management/mdm/policy-csp-search.md Normal file
View File

@ -0,0 +1,392 @@
---
title: Policy CSP - Search
description: Policy CSP - Search
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Search
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Search policies
<!--StartPolicy-->
<a href="" id="search-allowindexingencryptedstoresoritems"></a>**Search/AllowIndexingEncryptedStoresOrItems**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
<p style="margin-left: 20px">When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
<p style="margin-left: 20px">When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-allowsearchtouselocation"></a>**Search/AllowSearchToUseLocation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether search can leverage location information.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-allowusingdiacritics"></a>**Search/AllowUsingDiacritics**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the use of diacritics.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-alwaysuseautolangdetection"></a>**Search/AlwaysUseAutoLangDetection**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to always use automatic language detection when indexing content and properties.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-disablebackoff"></a>**Search/DisableBackoff**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Disable.
- 1 Enable.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-disableremovabledriveindexing"></a>**Search/DisableRemovableDriveIndexing**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy setting configures whether or not locations on removable drives can be added to libraries.
<p style="margin-left: 20px">If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Disable.
- 1 Enable.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-preventindexinglowdiskspacemb"></a>**Search/PreventIndexingLowDiskSpaceMB**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
<p style="margin-left: 20px">Enable this policy if computers in your environment have extremely limited hard drive space.
<p style="margin-left: 20px">When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disable.
- 1 (default) Enable.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-preventremotequeries"></a>**Search/PreventRemoteQueries**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disable.
- 1 (default) Enable.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-safesearchpermissions"></a>**Search/SafeSearchPermissions**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies what level of safe search (filtering adult content) is required.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Strict, highest filtering against adult content.
- 1 (default) Moderate filtering against adult content (valid search results will not be filtered).
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartEAS-->
## <a href="" id="eas"></a>Search policies that can be set using Exchange Active Sync (EAS)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
<!--EndEAS-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Search policies supported by Windows Holographic for Business
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
<!--EndHoloLens-->

426
windows/client-management/mdm/policy-csp-security.md Normal file
View File

@ -0,0 +1,426 @@
---
title: Policy CSP - Security
description: Policy CSP - Security
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Security
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Security policies
<!--StartPolicy-->
<a href="" id="security-allowaddprovisioningpackage"></a>**Security/AllowAddProvisioningPackage**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to install provisioning packages.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-allowautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy has been deprecated in Windows 10, version 1607
<br>
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-allowmanualrootcertificateinstallation"></a>**Security/AllowManualRootCertificateInstallation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
<p style="margin-left: 20px">Specifies whether the user is allowed to manually install root and intermediate CA certificates.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-allowremoveprovisioningpackage"></a>**Security/AllowRemoveProvisioningPackage**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to remove provisioning packages.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-antitheftmode"></a>**Security/AntiTheftMode**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
 
<p style="margin-left: 20px">Allows or disallow Anti Theft Mode on the device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Don't allow Anti Theft Mode.
- 1 (default) Anti Theft Mode will follow the default device configuration (region-dependent).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-preventautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
<p style="margin-left: 20px">Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Encryption enabled.
- 1 Encryption disabled.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
<p style="margin-left: 20px">Allows enterprise to turn on internal storage encryption.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Encryption is not required.
- 1 Encryption is required.
<p style="margin-left: 20px">Most restricted value is 1.
> [!IMPORTANT]
> If encryption has been enabled, it cannot be turned off by using this policy.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-requireprovisioningpackagesignature"></a>**Security/RequireProvisioningPackageSignature**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not required.
- 1 Required.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-requireretrievehealthcertificateonboot"></a>**Security/RequireRetrieveHealthCertificateOnBoot**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not required.
- 1 Required.
<p style="margin-left: 20px">Setting this policy to 1 (Required):
- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
> [!NOTE]
> We recommend that this policy is set to Required after MDM enrollment.
 
<p style="margin-left: 20px">Most restricted value is 1.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartEAS-->
## <a href="" id="eas"></a>Security policies that can be set using Exchange Active Sync (EAS)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
<!--EndEAS-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Security policies supported by Windows Holographic for Business
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
<!--EndHoloLens-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Security policies supported by IoT Core
- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Security policies supported by Microsoft Surface Hub
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
<!--EndSurfaceHub-->

559
windows/client-management/mdm/policy-csp-settings.md Normal file
View File

@ -0,0 +1,559 @@
---
title: Policy CSP - Settings
description: Policy CSP - Settings
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Settings
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Settings policies
<!--StartPolicy-->
<a href="" id="settings-allowautoplay"></a>**Settings/AllowAutoPlay**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows the user to change Auto Play settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
> [!NOTE]
> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowdatasense"></a>**Settings/AllowDataSense**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to change Data Sense settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowdatetime"></a>**Settings/AllowDateTime**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to change date and time settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows editing of the device name.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows the user to change the language settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowpowersleep"></a>**Settings/AllowPowerSleep**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows the user to change power and sleep settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowregion"></a>**Settings/AllowRegion**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows the user to change the region settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowsigninoptions"></a>**Settings/AllowSignInOptions**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows the user to change sign-in options.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowvpn"></a>**Settings/AllowVPN**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to change VPN settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowworkplace"></a>**Settings/AllowWorkplace**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows user to change workplace settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-allowyouraccount"></a>**Settings/AllowYourAccount**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows user to change account settings.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-configuretaskbarcalendar"></a>**Settings/ConfigureTaskbarCalendar**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) User will be allowed to configure the setting.
- 1 Don't show additional calendars.
- 2 - Simplified Chinese (Lunar).
- 3 - Traditional Chinese (Lunar).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="settings-pagevisibilitylist"></a>**Settings/PageVisibilityList**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
<p style="margin-left: 20px">The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
<p style="margin-left: 20px">showonly:about;bluetooth
<p style="margin-left: 20px">If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
<p style="margin-left: 20px">The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one which hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
<p style="margin-left: 20px">The default value for this setting is an empty string, which is interpreted as show everything.
<p style="margin-left: 20px">Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
<p style="margin-left: 20px">showonly:wi-fi;bluetooth
<p style="margin-left: 20px">Example 2, specifies that the wifi page should not be shown:
<p style="margin-left: 20px">hide:wifi
<p style="margin-left: 20px">To validate on Desktop, do the following:
1. Open System Settings and verfiy that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".
3. Open System Settings again and verify that the About page is no longer accessible.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Settings policies supported by Windows Holographic for Business
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
<!--EndHoloLens-->

138
windows/client-management/mdm/policy-csp-smartscreen.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Policy CSP - SmartScreen
description: Policy CSP - SmartScreen
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - SmartScreen
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## SmartScreen policies
<!--StartPolicy-->
<a href="" id="smartscreen-enableappinstallcontrol"></a>**SmartScreen/EnableAppInstallControl**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
- 1 Turns on Application Installation Control, allowing users to only install apps from the Store.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="smartscreen-enablesmartscreeninshell"></a>**SmartScreen/EnableSmartScreenInShell**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Turns off SmartScreen in Windows.
- 1 Turns on SmartScreen in Windows.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="smartscreen-preventoverrideforfilesinshell"></a>**SmartScreen/PreventOverrideForFilesInShell**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Employees can ignore SmartScreen warnings and run malicious files.
- 1 Employees cannot ignore SmartScreen warnings and run malicious files.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

66
windows/client-management/mdm/policy-csp-speech.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Policy CSP - Speech
description: Policy CSP - Speech
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Speech
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Speech policies
<!--StartPolicy-->
<a href="" id="speech-allowspeechmodelupdate"></a>**Speech/AllowSpeechModelUpdate**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

1192
windows/client-management/mdm/policy-csp-start.md Normal file
View File

File diff suppressed because it is too large Load Diff

72
windows/client-management/mdm/policy-csp-storage.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Policy CSP - Storage
description: Policy CSP - Storage
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Storage
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Storage policies
<!--StartPolicy-->
<a href="" id="storage-enhancedstoragedevices"></a>**Storage/EnhancedStorageDevices**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting configures whether or not Windows will activate an Enhanced Storage device.
If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Do not allow Windows to activate Enhanced Storage devices*
- GP name: *TCGSecurityActivationDisabled*
- GP ADMX file name: *enhancedstorage.admx*
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

614
windows/client-management/mdm/policy-csp-system.md Normal file
View File

@ -0,0 +1,614 @@
---
title: Policy CSP - System
description: Policy CSP - System
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - System
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## System policies
<!--StartPolicy-->
<a href="" id="system-allowbuildpreview"></a>**System/AllowBuildPreview**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
<p style="margin-left: 20px">This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
<p style="margin-left: 20px">If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
- 1 Allowed. Users can make their devices available for downloading and installing preview software.
- 2 (default) Not configured. Users can make their devices available for downloading and installing preview software.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-allowembeddedmode"></a>**System/AllowEmbeddedMode**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether set general purpose device to be in embedded mode.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not allowed.
- 1 Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-allowexperimentation"></a>**System/AllowExperimentation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is not supported in Windows 10, version 1607.
<p style="margin-left: 20px">This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disabled.
- 1 (default) Permits Microsoft to configure device settings only.
- 2 Allows Microsoft to conduct full experimentations.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-allowfontproviders"></a>**System/AllowFontProviders**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
<p style="margin-left: 20px">Supported values:
- false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
- true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
<p style="margin-left: 20px">This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
<p style="margin-left: 20px">This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
> [!Note]
> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
<p style="margin-left: 20px">To verify if System/AllowFontProviders is set to true:
- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-allowlocation"></a>**System/AllowLocation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow app access to the Location service.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
- 1 (default) Location service is allowed. The user has control and can change Location Privacy settings on or off.
- 2 Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
<p style="margin-left: 20px">Most restricted value is 0.
<p style="margin-left: 20px">While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
<p style="margin-left: 20px">When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
<p style="margin-left: 20px">For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-allowstoragecard"></a>**System/AllowStorageCard**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
- 1 (default) Allow a storage card.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-allowtelemetry"></a>**System/AllowTelemetry**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allow the device to send diagnostic and usage telemetry data, such as Watson.
<p style="margin-left: 20px">The following tables describe the supported values:
<table style="margin-left: 20px">
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th>Windows 8.1 Values</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>0 Not allowed.</p>
</td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p> 1 Allowed, except for Secondary Data Requests.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>2 (default) Allowed.</p></td>
</tr>
</tbody>
</table>
<table style="margin-left: 20px">
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th>Windows 10 Values</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>0 Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.</p>
<div class="alert">
<strong>Note</strong>  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
</div>
</td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>1 Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>2 Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>3 Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.</p></td>
</tr>
</tbody>
</table>
> [!IMPORTANT]
> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-allowusertoresetphone"></a>**System/AllowUserToResetPhone**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed to reset to factory default settings.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
N/A
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP name: *POL_DriverLoadPolicy_Name*
- GP ADMX file name: *earlylauncham.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-disableonedrivefilesync"></a>**System/DisableOneDriveFileSync**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
* Users cannot access OneDrive from the OneDrive app or file picker.
* Windows Store apps cannot access OneDrive using the WinRT API.
* OneDrive does not appear in the navigation pane in File Explorer.
* OneDrive files are not kept in sync with the cloud.
* Users cannot automatically upload photos and videos from the camera roll folder.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) False (sync enabled).
- 1 True (sync disabled).
<p style="margin-left: 20px">To validate on Desktop, do the following:
1. Enable policy.
2. Restart machine.
3. Verify that OneDrive.exe is not running in Task Manager.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-disablesystemrestore"></a>**System/DisableSystemRestore**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Allows you to disable System Restore.
This policy setting allows you to turn off System Restore.
System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off System Restore*
- GP name: *SR_DisableSR*
- GP ADMX file name: *systemrestore.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-telemetryproxy"></a>**System/TelemetryProxy**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *&lt;server&gt;:&lt;port&gt;*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartEAS-->
## <a href="" id="eas"></a>System policies that can be set using Exchange Active Sync (EAS)
- [System/AllowStorageCard](#system-allowstoragecard)
- [System/TelemetryProxy](#system-telemetryproxy)
<!--EndEAS-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>System policies supported by Windows Holographic for Business
- [System/AllowFontProviders](#system-allowfontproviders)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)
<!--EndHoloLens-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>System policies supported by IoT Core
- [System/AllowEmbeddedMode](#system-allowembeddedmode)
- [System/AllowFontProviders](#system-allowfontproviders)
- [System/AllowStorageCard](#system-allowstoragecard)
- [System/TelemetryProxy](#system-telemetryproxy)
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>System policies supported by Microsoft Surface Hub
- [System/AllowFontProviders](#system-allowfontproviders)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)
<!--EndSurfaceHub-->

580
windows/client-management/mdm/policy-csp-textinput.md Normal file
View File

@ -0,0 +1,580 @@
---
title: Policy CSP - TextInput
description: Policy CSP - TextInput
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - TextInput
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## TextInput policies
<!--StartPolicy-->
<a href="" id="textinput-allowimelogging"></a>**TextInput/AllowIMELogging**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowimenetworkaccess"></a>**TextInput/AllowIMENetworkAccess**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowinputpanel"></a>**TextInput/AllowInputPanel**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the IT admin to disable the touch/handwriting keyboard on Windows.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowjapaneseimesurrogatepaircharacters"></a>**TextInput/AllowJapaneseIMESurrogatePairCharacters**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the Japanese IME surrogate pair characters.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowjapaneseivscharacters"></a>**TextInput/AllowJapaneseIVSCharacters**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows Japanese Ideographic Variation Sequence (IVS) characters.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowjapanesenonpublishingstandardglyph"></a>**TextInput/AllowJapaneseNonPublishingStandardGlyph**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the Japanese non-publishing standard glyph.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowjapaneseuserdictionary"></a>**TextInput/AllowJapaneseUserDictionary**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the Japanese user dictionary.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowkeyboardtextsuggestions"></a>**TextInput/AllowKeyboardTextSuggestions**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Disabled.
- 1 (default) Enabled.
<p style="margin-left: 20px">Most restricted value is 0.
<p style="margin-left: 20px">To validate that text prediction is disabled on Windows 10 for desktop, do the following:
1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy has been deprecated.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-allowlanguagefeaturesuninstall"></a>**TextInput/AllowLanguageFeaturesUninstall**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the uninstall of language features, such as spell checkers, on a device.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-excludejapaneseimeexceptjis0208"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) No characters are filtered.
- 1 All characters except JIS0208 are filtered.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-excludejapaneseimeexceptjis0208andeudc"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) No characters are filtered.
- 1 All characters except JIS0208 and EUDC are filtered.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="textinput-excludejapaneseimeexceptshiftjis"></a>**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) No characters are filtered.
- 1 All characters except ShiftJIS are filtered.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>TextInput policies supported by Microsoft Surface Hub
- [TextInput/AllowIMELogging](#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
<!--EndSurfaceHub-->

74
windows/client-management/mdm/policy-csp-timelanguagesettings.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Policy CSP - TimeLanguageSettings
description: Policy CSP - TimeLanguageSettings
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - TimeLanguageSettings
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## TimeLanguageSettings policies
<!--StartPolicy-->
<a href="" id="timelanguagesettings-allowset24hourclock"></a>**TimeLanguageSettings/AllowSet24HourClock**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Locale default setting.
- 1 (default) Set 24 hour clock.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>TimeLanguageSettings policies supported by Microsoft Surface Hub
- [TimeLanguageSettings/Set24HourClock](#None)
- [TimeLanguageSettings/SetCountry](#None)
- [TimeLanguageSettings/SetLanguage](#None)
<!--EndSurfaceHub-->

1886
windows/client-management/mdm/policy-csp-update.md Normal file
View File

File diff suppressed because it is too large Load Diff

309
windows/client-management/mdm/policy-csp-wifi.md Normal file
View File

@ -0,0 +1,309 @@
---
title: Policy CSP - Wifi
description: Policy CSP - Wifi
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - Wifi
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Wifi policies
<!--StartPolicy-->
<a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy has been deprecated.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wifi-allowautoconnecttowifisensehotspots"></a>**Wifi/AllowAutoConnectToWiFiSenseHotspots**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allow or disallow the device to automatically connect to Wi-Fi hotspots.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wifi-allowinternetsharing"></a>**Wifi/AllowInternetSharing**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allow or disallow internet sharing.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Do not allow the use of Internet Sharing.
- 1 (default) Allow the use of Internet Sharing.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wifi-allowmanualwificonfiguration"></a>**Wifi/AllowManualWiFiConfiguration**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 No Wi-Fi connection outside of MDM provisioned network is allowed.
- 1 (default) Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
<p style="margin-left: 20px">Most restricted value is 0.
> [!NOTE]
> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wifi-allowwifi"></a>**Wifi/AllowWiFi**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allow or disallow WiFi connection.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 WiFi connection is not allowed.
- 1 (default) WiFi connection is allowed.
<p style="margin-left: 20px">Most restricted value is 0.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wifi-allowwifidirect"></a>**Wifi/AllowWiFiDirect**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allow WiFi Direct connection..
- 0 - WiFi Direct connection is not allowed.
- 1 - WiFi Direct connection is allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wifi-wlanscanmode"></a>**Wifi/WLANScanMode**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
<p style="margin-left: 20px">Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
<p style="margin-left: 20px">The default value is 0.
<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartEAS-->
## <a href="" id="eas"></a>Wifi policies that can be set using Exchange Active Sync (EAS)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
<!--EndEAS-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Wifi policies supported by IoT Core
- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/WLANScanMode](#wifi-wlanscanmode)
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Wifi policies supported by Microsoft Surface Hub
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
<!--EndSurfaceHub-->

103
windows/client-management/mdm/policy-csp-windowsinkworkspace.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Policy CSP - WindowsInkWorkspace
description: Policy CSP - WindowsInkWorkspace
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - WindowsInkWorkspace
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## WindowsInkWorkspace policies
<!--StartPolicy-->
<a href="" id="windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
<p style="margin-left: 20px">Value type is bool. The following list shows the supported values:
- 0 - app suggestions are not allowed.
- 1 (default) -allow app suggestions.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="windowsinkworkspace-allowwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowWindowsInkWorkspace**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
<p style="margin-left: 20px">Value type is int. The following list shows the supported values:
- 0 - access to ink workspace is disabled. The feature is turned off.
- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

155
windows/client-management/mdm/policy-csp-windowslogon.md Normal file
View File

@ -0,0 +1,155 @@
---
title: Policy CSP - WindowsLogon
description: Policy CSP - WindowsLogon
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - WindowsLogon
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## WindowsLogon policies
<!--StartPolicy-->
<a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to prevent app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen.
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP ADMX file name: *logon.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="windowslogon-dontdisplaynetworkselectionui"></a>**WindowsLogon/DontDisplayNetworkSelectionUI**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP ADMX file name: *logon.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
<p style="margin-left: 20px">Value type is bool. The following list shows the supported values:
- 0 (default) - Diabled (visible).
- 1 - Enabled (hidden).
<p style="margin-left: 20px">To validate on Desktop, do the following:
1. Enable policy.
2. Verify that the Switch account button in Start is hidden.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

239
windows/client-management/mdm/policy-csp-wirelessdisplay.md Normal file
View File

@ -0,0 +1,239 @@
---
title: Policy CSP - WirelessDisplay
description: Policy CSP - WirelessDisplay
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Policy CSP - WirelessDisplay
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## WirelessDisplay policies
<!--StartPolicy-->
<a href="" id="wirelessdisplay-allowprojectionfrompc"></a>**WirelessDisplay/AllowProjectionFromPC**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
- 0 - your PC cannot discover or project to other devices.
- 1 - your PC can discover and project to other devices
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wirelessdisplay-allowprojectionfrompcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
- 1 - your PC can discover and project to other devices over infrastructure.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wirelessdisplay-allowprojectiontopc"></a>**WirelessDisplay/AllowProjectionToPC**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
<p style="margin-left: 20px">If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
<p style="margin-left: 20px">Value type is integer. Valid value:
- 0 - projection to PC is not allowed. Always off and the user cannot enable it.
- 1 (default) - projection to PC is allowed. Enabled only above the lock screen.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wirelessdisplay-Allowprojectiontopcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct.
- 1 - your PC is discoverable and other devices can project to it over infrastructure.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="wirelessdisplay-requirepinforpairing"></a>**WirelessDisplay/RequirePinForPairing**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
<p style="margin-left: 20px">If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
<p style="margin-left: 20px">Value type is integer. Valid value:
- 0 (default) - PIN is not required.
- 1 - PIN is required.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->