deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into aljupudi-5864419-cspWindows11updates

Browse Source
This commit is contained in:
Alekhya Jupudi 2022-05-02 21:03:50 +05:30 committed by GitHub
commit b848be79d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
342 changed files with 4254 additions and 4374 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.acrolinx-config.edn
View File

@ -47,12 +47,12 @@ For more information about the exception criteria and exception process, see [Mi
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
| Article | Score | Issues | Spelling<br>issues | Scorecard | Processed |
| Article | Score | Issues | Correctness<br>issues | Scorecard | Processed |
| ------- | ----- | ------ | ------ | --------- | --------- |
"
:template-change
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/spelling} | [link](${acrolinx/scorecard}) | ${s/status} |
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/correctness} | [link](${acrolinx/scorecard}) | ${s/status} |
"
:template-footer

9
.openpublishing.redirection.json
View File

@ -5167,7 +5167,7 @@
},
{
"source_path": "windows/device-security/security-compliance-toolkit-10.md",
"redirect_url": "/windows/security/threat-protection/security-compliance-toolkit-10",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10",
"redirect_document_id": false
},
{
@ -19447,7 +19447,7 @@
},
{
"source_path": "windows/security/threat-protection/intelligence/supply-chain-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/supply-chain-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/supply-chain-malware",
"redirect_document_id": false
},
{
@ -19505,6 +19505,11 @@
"redirect_url": "/education/",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md",
"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10",
"redirect_document_id": false
},
{
"source_path": "windows/education/developers.yml",
"redirect_url": "/education/",

2
browsers/edge/docfx.json
View File

@ -33,7 +33,7 @@
"ms.technology": "microsoft-edge",
"audience": "ITPro",
"ms.topic": "article",
"manager": "laurawi",
"manager": "dansimp",
"ms.prod": "edge",
"feedback_system": "None",
"hideEdit": true,

10
browsers/edge/microsoft-edge.yml
View File

@ -48,8 +48,6 @@ landingContent:
links:
- text: Test your site on Microsoft Edge for free on BrowserStack
url: https://developer.microsoft.com/microsoft-edge/tools/remote/
- text: Use sonarwhal to improve your website
url: https://sonarwhal.com/
# Card (optional)
- title: Improve compatibility with Enterprise Mode
@ -77,7 +75,7 @@ landingContent:
- linkListType: download
links:
- text: NSS Labs web browser security reports
url: https://www.microsoft.com/download/details.aspx?id=54773
url: https://www.microsoft.com/download/details.aspx?id=58080
- linkListType: overview
links:
- text: Microsoft Edge sandbox
@ -126,10 +124,8 @@ landingContent:
url: ./edge-technical-demos.md
- linkListType: how-to-guide
links:
- text: Import bookmarks
url: https://microsoftedgetips.microsoft.com/2/39
- text: Password management
url: https://microsoftedgetips.microsoft.com/2/18
- text: Microsoft Edge features and tips
url: https://microsoftedgetips.microsoft.com
# Card (optional)
- title: Stay informed

2
browsers/internet-explorer/docfx.json
View File

@ -30,7 +30,7 @@
"ms.technology": "internet-explorer",
"ms.prod": "ie11",
"ms.topic": "article",
"manager": "laurawi",
"manager": "dansimp",
"ms.date": "04/05/2017",
"feedback_system": "None",
"hideEdit": true,

10
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
View File

@ -35,7 +35,7 @@ If you don't want to use the Enterprise Mode Site List Manager, you also have th
The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1.
> [!IMPORTANT]
> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `<domain>contoso.com</domain>` automatically applies to both http://contoso.com and https://contoso.com.
> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `<domain>contoso.com</domain>` automatically applies to both `http://contoso.com` and `https://contoso.com`.
```xml
<rules version="1">
@ -71,7 +71,7 @@ This table includes the elements used by the Enterprise Mode schema.
|&lt;emie&gt; |The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. <br> **Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; <br> </pre><p> **or** <br> For IPv6 ranges: <pre class="syntax"><br>&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; </pre><p> <br> **or**<br> For IPv4 ranges:<pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; | Internet Explorer 11 and Microsoft Edge |
|&lt;docMode&gt; |The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there's a &lt;domain&gt; element in the docMode section that uses the same value as a &lt;domain&gt; element in the emie section, the emie element is applied. <br> **Example** <pre class="syntax"> <br/>&lt;rules version="205"&gt; <br> &lt;docmode&gt; <br> &lt;domain docMode="7"&gt;contoso.com&lt;/domain&gt; <br> &lt;/docmode&gt;<br>&lt;/rules&gt; |Internet Explorer 11 |
|&lt;domain&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element. <br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain&gt;contoso.com:8080&lt;/domain&gt;<br>&lt;/emie&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;path&gt; |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.<br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain exclude="true"&gt;fabrikam.com <br> &lt;path exclude="false"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p> <br> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
|&lt;path&gt; |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.<br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain exclude="true"&gt;fabrikam.com <br> &lt;path exclude="false"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p> <br> Where `https://fabrikam.com` doesn't use IE8 Enterprise Mode, but `https://fabrikam.com/products` does. |Internet Explorer 11 and Microsoft Edge |
### Schema attributes
This table includes the attributes used by the Enterprise Mode schema.
@ -79,10 +79,10 @@ This table includes the attributes used by the Enterprise Mode schema.
|Attribute|Description|Supported browser|
|--- |--- |--- |
|version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.|Internet Explorer 11 and Microsoft Edge|
|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the &lt;domain&gt; and &lt;path&gt; elements.<br> **Example** <pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt; </pre><p> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the &lt;domain&gt; and &lt;path&gt; elements.<br> **Example** <pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt; </pre><p> Where `https://fabrikam.com` doesn't use IE8 Enterprise Mode, but `https://fabrikam.com/products` does.|Internet Explorer 11 and Microsoft Edge|
|docMode|Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt;elements in the &lt;docMode&gt; section.<br> **Example**<pre class="syntax">&lt;docMode&gt; <br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path docMode="9"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/docMode&gt;|Internet Explorer 11|
|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all &lt;domain&gt; or &lt;path&gt; elements. If this attribute is absent, it defaults to false.<br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain doNotTransition=&quot;false&quot;&gt;fabrikam.com <br> &lt;path doNotTransition=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;emie&gt; section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude=&quot;true&quot;), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. <br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude=&quot;true&quot;&gt;fabrikam.com <br> &lt;path forcecompatview=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all &lt;domain&gt; or &lt;path&gt; elements. If this attribute is absent, it defaults to false.<br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain doNotTransition=&quot;false&quot;&gt;fabrikam.com <br> &lt;path doNotTransition=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where `https://fabrikam.com` opens in the IE11 browser, but `https://fabrikam.com/products` loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;emie&gt; section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude=&quot;true&quot;), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. <br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude=&quot;true&quot;&gt;fabrikam.com <br> &lt;path forcecompatview=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where `https://fabrikam.com` does not use Enterprise Mode, but `https://fabrikam.com/products` uses IE7 Enterprise Mode.|Internet Explorer 11|
### Using Enterprise Mode and document mode together
If you want to use both Enterprise Mode and document mode together, you need to be aware that &lt;emie&gt; entries override &lt;docMode&gt; entries for the same domain.

6
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
View File

@ -45,7 +45,7 @@ You can continue to use the v.1 version of the schema on Windows 10, but you wo
The following is an example of the v.2 version of the Enterprise Mode schema.
> [!IMPORTANT]
> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `<url="contoso.com">`, automatically applies to both http://contoso.com and https://contoso.com.
> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `<url="contoso.com">`, automatically applies to both `http://contoso.com` and `https://contoso.com`.
```xml
<site-list version="205">
@ -109,9 +109,9 @@ The &lt;url&gt; attribute, as part of the &lt;site&gt; element in the v.2 versio
|Attribute|Description|Supported browser|
|---------|---------|---------|
|allow-redirect|A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).<br>**Example**<pre class="syntax">&lt;site url="contoso.com/travel"&gt;<br> &lt;open-in allow-redirect="true"&gt;IE11 &lt;/open-in&gt;<br>&lt;/site&gt;</pre> In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. <li>| Internet Explorer 11 and Microsoft Edge|
|allow-redirect|A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).<br>**Example**<pre class="syntax">&lt;site url="contoso.com/travel"&gt;<br> &lt;open-in allow-redirect="true"&gt;IE11 &lt;/open-in&gt;<br>&lt;/site&gt;</pre> In this example, if `https://contoso.com/travel` is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. | Internet Explorer 11 and Microsoft Edge|
|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element. | Internet Explorer 11 and Microsoft Edge|
|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.<br> **Note**<br> Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). <br> **Example**<pre class="syntax">&lt;site url="contoso.com:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt; <br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.<br> **Note**<br> Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both `http://contoso.com` and `https://contoso.com`. <br> **Example**<pre class="syntax">&lt;site url="contoso.com:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt; <br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>In this example, going to `https://contoso.com:8080` using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
### Deprecated attributes
These v.1 version schema attributes have been deprecated in the v.2 version of the schema:

2
browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
View File

@ -47,7 +47,7 @@ For more info about this, see [Deploy and configure apps](/mem/intune/).
2. Any employee in the assigned group can now install the package.
For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
For more info about this, see [Update apps using Microsoft Intune](/mem/intune/apps/apps-windows-10-app-deploy)
 

2
browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
View File

@ -42,7 +42,7 @@ RIES does not:
- Affect the applied Administrative Template Group Policy settings.
RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://go.microsoft.com/fwlink/p/?LinkId=214528).
RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://support.microsoft.com/windows/change-or-reset-internet-explorer-settings-2d4bac50-5762-91c5-a057-a922533f77d5).
## IE is crashing or seems slow
If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode.

2
browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
View File

@ -27,7 +27,7 @@ We strongly suggest that while you're using virtualization, you also update your
The Microsoft-supported options for virtualizing web apps are:
- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](https://go.microsoft.com/fwlink/p/?LinkId=271653).
- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](/microsoft-desktop-optimization-pack/medv-v2/).
- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](/previous-versions/windows/it-pro/windows-8.1-and-8/hh857623(v=ws.11)).<p>
For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662).

2
browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
View File

@ -83,7 +83,7 @@ sections:
- question: |
What test tools exist to test for potential application compatibility issues?
answer: |
The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://testdrive-archive.azurewebsites.net/html5/compatinspector/help/post.htm). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
- question: |
Why am I having problems launching my legacy apps with Internet Explorer 11?

2
browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
View File

@ -19,7 +19,7 @@ ms.date: 07/27/2017
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ([OpenSearch 1.1 Draft 5](https://opensearch.org/docs/latest/opensearch/index/)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employees ability to add or remove search providers.

2
browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
View File

@ -39,8 +39,6 @@ These command-line options work with IExpress:<br>
|`/r:a` |Always restarts the computer after installation. |
|`/r:s` |Restarts the computer after installation without prompting the employee. |
For more information, see [Command-line switches for IExpress software update packages](https://go.microsoft.com/fwlink/p/?LinkId=317973).
## Related topics
- [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
- [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md)

2
browsers/internet-explorer/internet-explorer.yml
View File

@ -46,8 +46,6 @@ landingContent:
url: https://mva.microsoft.com/training-courses/getting-started-with-windows-10-for-it-professionals-10629?l=fCowqpy8_5905094681
- text: 'Windows 10: Top Features for IT Pros'
url: https://mva.microsoft.com/training-courses/windows-10-top-features-for-it-pros-16319?l=xBnT2ihhC_7306218965
- text: Manage and modernize Internet Explorer with Enterprise Mode
url: https://channel9.msdn.com/events/teched/newzealand/2014/pcit307
- text: 'Virtual Lab: Enterprise Mode'
url: https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02

2
devices/hololens/docfx.json
View File

@ -35,7 +35,7 @@
"ms.technology": "windows",
"ms.topic": "article",
"audience": "ITPro",
"manager": "laurawi",
"manager": "dansimp",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",

2
devices/surface-hub/docfx.json
View File

@ -30,7 +30,7 @@
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "laurawi",
"manager": "dansimp",
"ms.mktglfcycl": "manage",
"ms.sitesec": "library",
"ms.date": "05/23/2017",

2
devices/surface/docfx.json
View File

@ -28,7 +28,7 @@
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
"manager": "laurawi",
"manager": "dansimp",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",

2
education/docfx.json
View File

@ -31,7 +31,7 @@
"audience": "windows-education",
"ms.topic": "article",
"ms.technology": "windows",
"manager": "laurawi",
"manager": "dansimp",
"audience": "ITPro",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017",

16
education/includes/education-content-updates.md
View File

@ -2,12 +2,18 @@
## Week of March 14, 2022
## Week of April 25, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 3/18/2022 | Educator Trial in a Box Guide | removed |
| 3/18/2022 | Microsoft Education Trial in a Box | removed |
| 3/18/2022 | IT Admin Trial in a Box Guide | removed |
| 3/18/2022 | Microsoft Education Trial in a Box Support | removed |
| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
## Week of April 18, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 4/21/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |

8
education/windows/chromebook-migration-guide.md
View File

@ -486,8 +486,8 @@ Table 9. Management systems and deployment resources
|Windows provisioning packages| <li> [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) <li>[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) <li> [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
|Group Policy|<li> [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) <li> [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
|Configuration Manager| <li> [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)) <li> [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
|Intune| <li> [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262) <li> [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263) <li> [System Center 2012 R2 Configuration Manager &amp;amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
|MDT| <li>[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) <li> [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
|Intune| <li> [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262) <li> [System Center 2012 R2 Configuration Manager &amp;amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
|MDT| <li> [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@ -504,7 +504,7 @@ Table 10. Management systems and app deployment resources
|--- |--- |
|Group Policy| <li> [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) <li> [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) <li> [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
|Configuration Manager| <li> [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)) <li> [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
|Intune| <li> [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913) <li> [Manage apps with Microsoft Intune](/mem/intune/)|
|Intune| <li> [Manage apps with Microsoft Intune](/mem/intune/)|
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@ -585,8 +585,6 @@ In some instances, you may receive the devices with Windows 10 already deployed
- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)
- [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)
- [Operating System Deployment in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682018(v=technet.10))

33
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -114,7 +114,7 @@ Office 365 Education allows:
* Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management.
* Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
* Faculty to use advanced compliance tools on the unified eDiscovery pages in the Microsoft Purview compliance portal.
* Faculty to host online classes, parentteacher conferences, and other collaboration in Skype for Business.
@ -587,7 +587,7 @@ In this synchronization model (illustrated in Figure 7), you run Azure AD Connec
#### To deploy AD DS and Azure AD synchronization
1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-prerequisites/).
1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](/azure/active-directory/cloud-sync/how-to-prerequisites).
2. In the VM or on the physical device that will run Azure AD Connect, sign in with a domain administrator account.
@ -642,7 +642,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|Method |Description and reason to select this method |
|-------|---------------------------------------------|
|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).|
|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if youre comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if youre comfortable with VBScript. For more information about using VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)).|
|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
*Table 12. AD DS bulk-import account methods*
@ -899,7 +899,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
4. Add Windows apps.
Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
@ -1096,13 +1096,13 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
#### To configure Intune settings
1. Add Intune to your Office 365 subscription by completing the steps in [Manage Intune licenses](/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4).
1. Add Intune to your Office 365 subscription by completing the steps in [Manage Intune licenses](/mem/intune/fundamentals/licenses-assign).
2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](/intune/deploy-use/get-ready-to-enroll-devices-in-microsoft-intune).
2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](/mem/intune/enrollment/quickstart-enroll-windows-device).
3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](/mem/intune/configuration/device-profiles).
4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](/intune/deploy-use/manage-windows-pcs-with-microsoft-intune).
4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](/mem/intune/remote-actions/device-management).
### Deploy and manage apps by using Intune
@ -1112,11 +1112,10 @@ You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune pr
For more information about how to configure Intune to manage your apps, see the following resources:
- [Add apps with Microsoft Intune](/intune/deploy-use/add-apps)
- [Deploy apps with Microsoft Intune](/intune/deploy-use/deploy-apps)
- [Update apps using Microsoft Intune](/intune/deploy-use/update-apps-using-microsoft-intune)
- [Protect apps and data with Microsoft Intune](/intune/deploy-use/protect-apps-and-data-with-microsoft-intune)
- [Help protect your data with full or selective wipe using Microsoft Intune](/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune)
- [Add apps with Microsoft Intune](/mem/intune/apps/apps-add)
- [Deploy apps with Microsoft Intune](/mem/intune/apps/apps-windows-10-app-deploy)
- [Protect apps and data with Microsoft Intune](/mem/intune/apps/app-protection-policy)
- [Help protect your data with full or selective wipe using Microsoft Intune](/mem/intune/remote-actions/devices-wipe)
### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
@ -1142,8 +1141,8 @@ To help ensure that your users have the most current features and security prote
For more information about how to configure Intune to manage updates and malware protection, see the following resources:
- [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
- [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/mem/intune/protect/endpoint-protection-configure)
### Manage updates by using Microsoft Endpoint Configuration Manager
@ -1252,8 +1251,8 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
|Task and resources|Monthly|New semester or academic year|As required|
|--- |--- |--- |--- |
|Verify that Windows Update is active and current with operating system and software updates.<br>For more information about completing this task when you have:<li>Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)<li>Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).<li>WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).<br>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence.<br>For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️|
|Verify that Windows Update is active and current with operating system and software updates.<br>For more information about completing this task when you have:<li>Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)<li>Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).<li>WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).<br>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence.<br>For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows) and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️|
|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br>For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
|Download and approve updates for Windows 10, apps, device driver, and other software.<br>For more information, see:<li>[Manage updates by using Intune](#manage-updates-by-using-intune)<li>[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
|Verify that youre using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br>For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|

2
education/windows/deploy-windows-10-in-a-school.md
View File

@ -74,7 +74,7 @@ Office 365 Education allows:
- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
- Faculty to use advanced email features like email archiving and legal hold capabilities.
- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management.
- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Microsoft Purview compliance portal.
- Faculty to host online classes, parentteacher conferences, and other collaboration in Skype for Business or Skype.
- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.

2
education/windows/get-minecraft-for-education.md
View File

@ -36,7 +36,7 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
- **Minecraft: Education Edition** requires Windows 10.
- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
- If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
- Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
- Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office)
- If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
<!-- ![teacher.](images/teacher.png) -->

68
education/windows/school-get-minecraft.md
View File

@ -20,31 +20,34 @@ ms.topic: conceptual
**Applies to:**
- Windows 10
- Windows 10
When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization.
>[!Note]
>If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
>If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information, see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
## Settings for Office 365 A3 or Office 365 A5 customers
## Settings for Microsoft 365 A3 or Microsoft 365 A5 customers
Schools that purchased these products have an extra option for making Minecraft: Education Edition available to their students:
- Office 365 A3 or Office 365 A5
- Enterprise Mobility + Security E3 or Enterprise Mobility + Security E5
- Microsoft 365 A3 or Microsoft 365 A5
- Minecraft: Education Edition
If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Office 365 A3 or Office 365 A5. On your Office 365 A3 or Office 365 A5 details page in **Microsoft Store for Education**, under **Settings & actions**, you can select **Allow access to Minecraft: Education Edition for users of Office 365 A3 or Office 365 A5**.
If your school has these products in your tenant, admins can choose to enable Minecraft: Education Edition for students using Microsoft 365 A3 or Microsoft 365 A5. From the left-hand menu in Microsoft Admin Center, select Users. From the Users list, select the users you want to add or remove for Minecraft: Education Edition access. Add the relevant A3 or A5 license if it hasn't been assigned already.
When this setting is selected, students in your tenant can use Minecraft: Education Edition even if they do not have a trial or a direct license assigned to them.
> [!Note]
> If you add a faculty license, the user will be assigned an instructor role in the application and will have elevated permissions.
If you turn off this setting after students have been using Minecraft: Education Edition, they will have 25 more days to use Minecraft: Education Edition before they do not have access.
After selecting the appropriate product license, ensure Minecraft: Education Edition is toggled on or off, depending on if you want to add or remove Minecraft: Education Edition from the user (it will be on by default).
## Add Minecraft to your Microsoft Store for Education
If you turn off this setting after students have been using Minecraft: Education Edition, they will have up to 30 more days to use Minecraft: Education Edition before they don't have access.
## Add Minecraft to your Microsoft Store for Education
You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies).
If youve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume licenses for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
If youve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
### <a href="" id="individual-copies"></a>Minecraft: Education Edition - direct purchase
@ -73,6 +76,7 @@ Now that the app is in your Microsoft Store for Education inventory, you can cho
If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-additional-licenses).
### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume licensing
Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory.
@ -80,13 +84,17 @@ Qualified education institutions can purchase Minecraft: Education Edition licen
- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
## Minecraft: Education Edition payment options
You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice.
### Debit or credit cards
During the purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
### Invoices
Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements:
- Admins only (not supported for Teachers)
- $500 invoice minimum for your initial purchase
- $15,000 invoice maximum (for all invoices within your organization)
@ -109,6 +117,7 @@ After you've finished the purchase, you can find your invoice by checking **Mine
> After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Apps & software**.
**To view your invoice**
1. In Microsoft Store for Education, click **Manage** and then click **Apps & software**.
2. Click **Minecraft: Education Edition** in the list of apps.
3. On **Minecraft: Education Edition**, click **View Bills**.
@ -117,7 +126,7 @@ After you've finished the purchase, you can find your invoice by checking **Mine
4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-invoice-bills.png)
![Minecraft: Education Edition app details page with view invoice bills link highlighted.](images/mcee-invoice-bills.png)
The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check.
@ -151,21 +160,21 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click Manage.
You'll see Minecraft: Education Edition product page.
![Minecraft Education Edition product page with auto assign control highlighted.](images/mcee-auto-assign-legacy.png)
-Or-
![Minecraft Education Edition product page with auto assign control highlighted.](images/mcee-auto-assign-bd.png)
3. Slide the **Auto assign subscription** or click **Turn off auto assign subscription**.
![Minecraft Education Edition product page with auto assign control highlighted-2](images/mcee-auto-assign-bd.png)
3. Slide the **Auto assign subscription** or click **Turn off auto assign subscription**.
### Install for me
You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
<!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
@ -173,20 +182,19 @@ You can install the app on your PC. This gives you a chance to test the app and
3. Click **Install**.
### Assign to others
Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app.
Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app.
**To assign to others**
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png)
3. Click **Invite people**.
3. Click **Invite people**.
4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
![Assign to people showing student name.](images/minecraft-assign-to-people-name.png)
**To finish Minecraft install (for students)**
@ -222,14 +230,15 @@ Download for others allows teachers or IT admins to download an app that they ca
Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps.
**To check for app updates**
1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
2. Click the account button, and then click **Downloads and updates**.
![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png)
![Microsoft Store app showing Downloads and updates](images/minecraft-private-store.png)
3. Click **Check for updates**, and install all available updates.
![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png)
![Microsoft Store app displaying Check for updates.](images/mc-check-for-updates.png)
4. Restart the computer before installing Minecraft: Education Edition.
@ -238,8 +247,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png)
![Microsoft Store app showing the Download.](images/mc-dnld-others-teacher.png)
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**.

2
education/windows/take-a-test-app-technical.md
View File

@ -105,8 +105,6 @@ When running tests in this mode, keep the following in mind:
- Permissive mode is not supported in kiosk mode (dedicated test account).
- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode.
See [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
## Learn more
[Take a Test API](/windows/uwp/apps-for-education/take-a-test-api)

2
education/windows/take-a-test-multiple-pcs.md
View File

@ -252,7 +252,7 @@ One of the ways you can present content in a locked down manner is by embedding
3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters.
See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
### Create a shortcut for the test link
You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:

2
education/windows/take-a-test-single-pc.md
View File

@ -113,7 +113,7 @@ One of the ways you can present content in a locked down manner is by embedding
3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters.
See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
### Create a shortcut for the test link

2
education/windows/take-tests-in-windows-10.md
View File

@ -74,5 +74,5 @@ To exit the Take a Test app at any time, press Ctrl+Alt+Delete.
## Get more info
- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms) to find out how.
- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d) to find out how.
- To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).

2
education/windows/windows-editions-for-education-customers.md
View File

@ -20,7 +20,7 @@ manager: dansimp
- Windows 10
Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows weve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsofts commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows weve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsofts commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).

2
smb/cloud-mode-business-setup.md
View File

@ -447,7 +447,7 @@ In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink
:::image type="content" alt-text="Check that the device appears in Intune." source="images/intune_groups_devices_list.png":::
## 3. Manage device settings and features
You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/mem/intune/configuration/device-profiles).
In this section, we'll show you how to reconfigure app deployment settings and add a new policy that will disable the camera for the Intune-managed devices and turn off Windows Hello and PINs during setup.

17
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,21 +2,10 @@
## Week of December 13, 2021
## Week of April 25, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 12/13/2021 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
| 12/13/2021 | [Change history for Microsoft Store for Business and Education](/microsoft-store/sfb-change-history) | modified |
| 12/14/2021 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified |
| 12/14/2021 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified |
## Week of November 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 11/16/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
| 11/19/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
| 4/28/2022 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
| 4/28/2022 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |

22
store-for-business/prerequisites-microsoft-store-for-business.md
View File

@ -59,17 +59,17 @@ While not required, you can use a management tool to distribute and manage apps.
If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store either to acquire, install, or update apps will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
- login.live.com
- login.windows.net
- account.live.com
- clientconfig.passport.net
- windowsphone.com
- \*.wns.windows.com
- \*.microsoft.com
- \*.s-microsoft.com
- www.msftncsi.com (prior to Windows 10, version 1607)
- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com
- `login.live.com`
- `login.windows.net`
- `account.live.com`
- `clientconfig.passport.net`
- `windowsphone.com`
- `\*.wns.windows.com`
- `\*.microsoft.com`
- `\*.s-microsoft.com`
- `www.msftncsi.com` (prior to Windows 10, version 1607)
- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com`
starting with Windows 10, version 1607)
Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients).

2
windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
View File

@ -346,7 +346,7 @@ This process will recreate both the local and network locations for AppData and
In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client.
This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/download/details.aspx?id=38177).
This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Endpoint Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications).
The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell).

4
windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
View File

@ -11,7 +11,7 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.topic: article
---
---
# Automatically clean up unpublished packages on the App-V client
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
@ -62,5 +62,5 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App
## Related topics
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186)
- [Deploying App-V for Windows client](appv-deploying-appv.md)
- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)

2
windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
View File

@ -26,7 +26,7 @@ This article will tell you how to configure the App-V client to receive updates
## Configure the App-V client to receive updates from the publishing server
1. Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to create a connection group](appv-create-a-connection-group.md).
2. To open the management console, open a web browser and enter the following URL: <https://MyMgmtSrv/AppvManagement/Console.html>. Import, publish, and entitle all packages and connection groups that your users will need.
2. To open the management console, open a web browser and enter the following URL: `https://MyMgmtSrv/AppvManagement/Console.html`. Import, publish, and entitle all packages and connection groups that your users will need.
3. On the computer running the App-V client, open an elevated Windows PowerShell command prompt, and run the following command:
```PowerShell

1
windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
View File

@ -48,7 +48,6 @@ Use the following instructions to use SQL scripts, rather than the Windows Insta
>[!IMPORTANT]
> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
> The Permissions.sql script should be updated according to Step 2 in [KB article 3031340](https://support.microsoft.com/kb/3031340). Step 1 is not required for versions of App-V later than App-V 5.0 SP3.
### Updated management database README file content

9
windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
View File

@ -419,18 +419,11 @@ This section describes the requirements and options for deploying Visio 2013 and
### Additional resources for Office 2013 App-V Packages
* [Office 2013 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=36778)
* [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/kb/2772509)
### Additional resources for Office 2010 App-V Packages
* [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/download/details.aspx?id=38399)
* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/kb/2828619)
* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069)
### Additional resources for Connection Groups
* [Managing Connection Groups](appv-managing-connection-groups.md)
* [Connection groups on the App-V team blog](https://blogs.msdn.microsoft.com/gladiator/tag/connection-groups/)
* [Connection groups on the App-V team blog](/archive/blogs/gladiator/app-v-5-more-on-connection-groups)
### Additional resources for Dynamic Configuration

2
windows/application-management/app-v/appv-performance-guidance.md
View File

@ -350,8 +350,6 @@ Server Performance Tuning Guidelines for
**Windows Client (Guest OS) Performance Tuning Guidance**
- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
- [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density)
- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)

2
windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
View File

@ -70,7 +70,7 @@ The following table describes the integration level of each version of Office, a
|Office 2013|Always integrated. Windows operating system integrations cannot be disabled.|
|Office 2016|Always integrated. Windows operating system integrations cannot be disabled.|
Microsoft recommends deploying Office coexistence with only one integrated Office instance. For example, if youre using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069).
Microsoft recommends deploying Office coexistence with only one integrated Office instance. For example, if youre using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode.
### Known limitations of Office coexistence scenarios

23
windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
View File

@ -26,7 +26,7 @@ MSI packages that were generated using an App-V sequencer from previous versions
1. Install the latest App-V sequencer, which you can get from the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607. See [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
2. Ensure that you have installed the **MSI Tools** included in the Windows 10 SDK, available as follows:
2. Ensure that you've installed the **MSI Tools** included in the Windows 10 SDK, available as follows:
- For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/en-us/windows/downloads).
@ -47,12 +47,12 @@ MSI packages that were generated using an App-V sequencer from previous versions
where the path is to the new directory (**C:\MyMsiTools\ for this example**).
## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10
An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server does not understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but is not backported to versions of App-V 5.0 SP3 or earlier.
An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server doesn't understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but isn't backported to versions of App-V 5.0 SP3 or earlier.
**Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients.
## Custom configurations do not get applied for packages that will be published globally if they are set using the App-V Server
If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration will not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each users profile. Globally published packages will not have access to this custom configuration.
## Custom configurations don't get applied for packages that will be published globally if they're set using the App-V Server
If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each users profile. Globally published packages won't have access to this custom configuration.
**Workaround**: Do one of the following:
@ -64,7 +64,7 @@ If you assign a package to an AD group that contains machine accounts and apply
## Server files not deleted after new App-V Server installation
If you uninstall the App-V 5.0 SP1 Server and then install the App-V Server, the installation fails, the wrong version of the Management server is installed, and an error message is returned. The issue occurs because the Server files are not being deleted when you uninstall App-V 5.0 SP1, so the installation process does an upgrade instead of a new installation.
If you uninstall the App-V 5.0 SP1 Server and then install the App-V Server, the installation fails, the wrong version of the Management server is installed, and an error message is returned. The issue occurs because the Server files aren't being deleted when you uninstall App-V 5.0 SP1, so the installation process does an upgrade instead of a new installation.
**Workaround**: Delete this registry key before you start installing App-V:
@ -72,19 +72,19 @@ Under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVe
## File type associations added manually are not saved correctly
File type associations added to an application package manually using the Shortcuts and FTAs tab at the end of the application upgrade wizard are not saved correctly. They will not be available to the App-V Client or to the Sequencer when updating the saved package again.
File type associations added to an application package manually using the Shortcuts and FTAs tab at the end of the application upgrade wizard aren't saved correctly. They won't be available to the App-V Client or to the Sequencer when updating the saved package again.
**Workaround**: To add a file type association, open the package for modification and run the update wizard. During the Installation step, add the new file type association through the operating system. The sequencer will detect the new association in the system registry and add it to the packages virtual registry, where it will be available to the client.
## When streaming packages in Shared Content Store (SCS) mode to a client that is also managed with AppLocker, additional data is written to the local disk.
To decrease the amount of data written to a clients local disk, you can enable SCS mode on the App-V Client to stream the contents of a package on demand. However, if AppLocker manages an application within the package, some data might be written to the clients local disk that would not otherwise be written.
To decrease the amount of data written to a clients local disk, you can enable SCS mode on the App-V Client to stream the contents of a package on demand. However, if AppLocker manages an application within the package, some data might be written to the clients local disk that wouldn't otherwise be written.
**Workaround**: None
## In the Management Console Add Package dialog box, the Browse button is not available when using Chrome or Firefox
On the Packages page of the Management Console, if you click **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you are accessing the Management Console using Chrome or Firefox as your browser, you will not be able to browse to the location of the package.
On the Packages page of the Management Console, if you click **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you're accessing the Management Console using Chrome or Firefox as your browser, you will not be able to browse to the location of the package.
**Workaround**: Type or copy and paste the path to the package into the **Add Package** input field. If the Management Console has access to this path, you will be able to add the package. If the package is on a network share, you can browse to the location using File Explorer by doing these steps:
@ -128,18 +128,13 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed,
3. If the package is currently published, run **Repair-AppvClientPackage** on that package.
## Icons not displayed properly in Sequencer
Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32.
Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the sizes of the icons are not 16x16 or 32x32.
**Workaround**: Only use icons that are 16x16 or 32x32.
## InsertVersionInfo.sql script no longer required for the Management Database
The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340).
> [!IMPORTANT]
> **Step 1** of the KB article listed above isn't required for versions of App-V later than App-V 5.0 SP3.
## Microsoft Visual Studio 2012 not supported
App-V doesn't support Visual Studio 2012.

4
windows/application-management/app-v/appv-reporting.md
View File

@ -28,9 +28,9 @@ The following list displays the endto-end high-level workflow for reporting i
* Windows Authentication role (under **IIS / Security**)
* SQL Server installed and running with SQL Server Reporting Services (SSRS)
To confirm SQL Server Reporting Services is running, enter <https://localhost/Reports> in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear.
To confirm SQL Server Reporting Services is running, enter `https://localhost/Reports` in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear.
2. Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/download/details.aspx?id=42630).
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service.
> [!NOTE]
>If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V.

7
windows/application-management/app-v/appv-using-the-client-management-console.md
View File

@ -19,13 +19,6 @@ ms.author: aaroncz
This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
## Obtain the client management console
The client management console is separate from the App-V client itself. You can download the client management console from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=41186).
> [!NOTE]
> To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V client.
## Options for managing the App-V client
The App-V client has associated settings that can be configured to determine how the client will run in your environment. You can manage these settings on the computer that runs the client, or you can use Windows PowerShell or Group Policy. For more information about configuring the client by using Windows PowerShell or Group Policy, see:

2
windows/application-management/docfx.json
View File

@ -33,7 +33,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
"audience": "ITPro",

2
windows/client-management/docfx.json
View File

@ -33,7 +33,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
"audience": "ITPro",

8
windows/client-management/manage-corporate-devices.md
View File

@ -47,16 +47,8 @@ You can use the same management tools to manage all device types running Windows
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Azure AD Join on Windows 10 (and Windows 11) devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
[Azure AD support for Windows 10 (and Windows 11)](https://go.microsoft.com/fwlink/p/?LinkID=615765)
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
[How to manage Windows 10 (and Windows 11) devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620)
[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207)
Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/)

2
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de
## Related topics
- [What is Intune?](//mem/intune/fundamentals/what-is-intune)
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)

2
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -24,7 +24,7 @@ This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
The following shows the AllJoynManagement configuration service provider in tree format

24
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -99,11 +99,11 @@ The following diagram illustrates the high-level flow involved in the actual enr
![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
### Add a cloud-based MDM
@ -112,7 +112,7 @@ A cloud-based MDM is a SaaS application that provides device management capabili
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
> [!NOTE]
> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenent the managed device belongs.
@ -148,7 +148,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
13. Generate a key for your application and copy it.
You need this key to call the Azure AD Graph API to report device compliance. This information is covered in the next section.
You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
@ -164,7 +164,7 @@ For more information about registering applications with Azure AD, see [Basics o
### Key management and security guidelines
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Microsoft Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715).
@ -202,7 +202,7 @@ The following table shows the required information to create an entry in the Azu
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Azure AD Graph API and for reporting device compliance.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
## Themes
@ -247,7 +247,6 @@ The following parameters are passed in the query string:
|api-version|Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.|
|mode|Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.|
### Access token
Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format:
@ -267,7 +266,7 @@ The following claims are expected in the access token passed by Windows to the T
> [!NOTE]
> There's no device ID claim in the access token because the device may not yet be enrolled at this time.
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api).
To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
Here's an example URL.
@ -379,9 +378,10 @@ Additional claims may be present in the Azure AD token, such as:
Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](/previous-versions/dotnet/framework/security/json-web-token-handler).
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
@ -443,9 +443,9 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Azure AD Graph API
### Use Microsoft Graph API
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device being managed by it.
The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it.
> [!NOTE]
> This API is only applicable for approved MDM apps on Windows 10 devices.
@ -466,7 +466,7 @@ Where:
- **contoso.com** This value is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This value is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **eyJ0eXAiO**……… This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.

2
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

@ -225,7 +225,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
|New or updated article|Description|
|--- |--- |
|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
|[NetworkProxy CSP](\networkproxy--csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.|
|[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|

86
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 03/02/2022
ms.date: 04/30/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -18,7 +18,7 @@ ms.collection: highpri
- Windows 10
Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
@ -42,9 +42,9 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins)
In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins)
For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices.
## Verify auto-enrollment requirements and settings
@ -60,12 +60,13 @@ The following steps demonstrate required settings using the Intune service:
![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
> [!IMPORTANT]
> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
> For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
>
> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
> For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later.
4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. The device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
@ -87,7 +88,7 @@ The following steps demonstrate required settings using the Intune service:
:::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor** > **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is properly deployed to all devices which should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
@ -105,35 +106,31 @@ Requirements:
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
1. Run GPEdit.msc
Click Start, then in the text box type gpedit.
1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`.
![GPEdit desktop app search result.](images/autoenrollment-gpedit.png)
2. Under **Best match**, click **Edit group policy** to launch it.
2. Under **Best match**, select **Edit group policy** to launch it.
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
:::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png":::
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**.
:::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
>
> The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop because the Intune subscription is user centric.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from AAD."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
If two-factor authentication is required, you'll be prompted to complete the process. Here is an example screenshot.
![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
@ -141,33 +138,33 @@ Requirements:
> You can avoid this behavior by using Conditional Access Policies in Azure AD.
Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.
7. Click **Info** to see the MDM enrollment information.
7. Select **Info** to see the MDM enrollment information.
![Work School Settings.](images/autoenrollment-settings-work-school.png)
If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
If you do not see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app).
### Task Scheduler app
1. Click **Start**, then in the text box type **task scheduler**.
1. Select **Start**, then in the text box type `task scheduler`.
![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png)
2. Under **Best match**, click **Task Scheduler** to launch it.
2. Under **Best match**, select **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (`MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab.
If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy.
If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
> [!NOTE]
> The GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
> The GPEdit console does not reflect the status of policies set by your IT admin on your device. GPEdit is only used by the user to set policies.
## Configure the auto-enrollment for a group of devices
@ -178,7 +175,7 @@ Requirements:
- Ensure that PCs belong to same computer group.
> [!IMPORTANT]
> If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
> If you do not see the policy, you might not have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
1. Download:
@ -219,9 +216,9 @@ Requirements:
- 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update (21H2)**
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
5. Copy PolicyDefinitions folder to **\\SYSVOL\contoso.com\policies\PolicyDefinitions**.
5. Copy the PolicyDefinitions folder to `\\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder does not exist, then be aware that you will be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
@ -238,12 +235,14 @@ This procedure will work for any future version as well.
4. Filter using Security Groups.
## Troubleshoot auto-enrollment of devices
Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device.
To collect Event Viewer logs:
1. Open Event Viewer.
2. Navigate to **Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin**.
2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**.
> [!Tip]
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
@ -260,18 +259,17 @@ To collect Event Viewer logs:
To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors) for more information.
- The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
- The auto-enrollment did not initiate at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
:::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
> [!Note]
> This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
> This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
This task runs every 5 minutes for the duration of 1 day. To confirm if the task succeeded, check the task scheduler event logs:
**Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs:
**Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
:::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
@ -279,14 +277,14 @@ To collect Event Viewer logs:
:::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. The task scheduler log is only useful to confirm if the auto-enrollment task is initiated or not. It does not indicate the success or failure of auto-enrollment.
If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there might be an issue with Group Policy. Immediately run the command `gpupdate /force` in command prompt to get the Group Policy Object applied. If you still have an issue, further troubleshooting on the Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (in any MDM solution and not only Intune), some enrollment information added into the registry is seen:
:::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:

4
windows/client-management/mdm/enterprise-app-management.md
View File

@ -400,7 +400,7 @@ If you purchased an app from the Store for Business and the app is specified for
Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx`).
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
- The user must be logged in, but association with Azure AD identity isn't required.
@ -517,7 +517,7 @@ Provisioning allows you to stage the app to the device and all users of the devi
Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx\`)
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
- The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
- The device doesn't need any Azure AD identity or domain membership.

2
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -291,7 +291,7 @@ The deep link used for connecting your device to work will always use the follow
> [!NOTE]
> Deep links only work with Internet Explorer or Microsoft Edge browsers. When connecting to MDM using a deep link, the URI you should use is:
> **ms-device-enrollment:?mode=mdm**
> **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
> **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<`https://example.server.com`>**
To connect your devices to MDM using deep links:

6
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -33,9 +33,9 @@ For details about Microsoft mobile device management protocols for Windows 10 a
## Breaking changes and known issues
### Get command inside an atomic command is not supported
### Get command inside an atomic command isnt supported
In Windows 10 and Windows 11, a Get command inside an atomic command is not supported.
In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported.
### Apps installed using WMI classes are not removed
@ -270,7 +270,7 @@ The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-
No. Only one MDM is allowed.
### How do I set the maximum number of Azure Active Directory joined devices per user?
1. Login to the portal as tenant admin: https://manage.windowsazure.com.
1. Login to the portal as tenant admin: https://portal.azure.com.
2. Click Active Directory on the left pane.
3. Choose your tenant.
4. Click **Configure**.

18
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -25,12 +25,12 @@ The following table shows the OMA DM standards that Windows uses.
|--- |--- |
|Data transport and session|<li>Client-initiated remote HTTPS DM session over SSL.<li>Remote HTTPS DM session over SSL.<li>Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.<li>Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
|Bootstrap XML|OMA Client Provisioning XML.|
|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.<br/><li>Add (Implicit Add supported)<li>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.<li>Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.<li>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists<li>Exec: Invokes an executable on the client device<li>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format<li>Replace: Overwrites data on the client device<li>Result: Returns the data results of a Get command to the DM server<li>Sequence: Specifies the order in which a group of commands must be processed<li>Status: Indicates the completion status (success or failure) of an operation<br/><br/>If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:<br/><li>SyncBody<li>Atomic<li>Sequence<br><br/>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.<br/><br/>If Atomic elements are nested, the following status codes are returned:<br/><li>The nested Atomic command returns 500.<li>The parent Atomic command returns 507.<br/><br/>For more information about the Atomic command, see OMA DM protocol common elements.<br>Performing an Add command followed by Replace on the same node within an Atomic element is not supported.<br><br/>LocURI cannot start with `/`.<br/><br/>Meta XML tag in SyncHdr is ignored by the device.|
|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.<br/><li>Add (Implicit Add supported)<li>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.<li>Atomic: Performing an Add command followed by Replace on the same node within an atomic element isn't supported. Nested Atomic and Get commands aren't allowed and will generate error code 500.<li>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists<li>Exec: Invokes an executable on the client device<li>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format<li>Replace: Overwrites data on the client device<li>Result: Returns the data results of a Get command to the DM server<li>Sequence: Specifies the order in which a group of commands must be processed<li>Status: Indicates the completion status (success or failure) of an operation<br/><br/>If an XML element that isn't a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:<br/><li>SyncBody<li>Atomic<li>Sequence<br><br/>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.<br/><br/>If Atomic elements are nested, the following status codes are returned:<br/><li>The nested Atomic command returns 500.<li>The parent Atomic command returns 507.<br/><br/>For more information about the Atomic command, see OMA DM protocol common elements.<br>Performing an Add command followed by Replace on the same node within an Atomic element isn't supported.<br><br/>LocURI can't start with `/`.<br/><br/>Meta XML tag in SyncHdr is ignored by the device.|
|OMA DM standard objects|DevInfo<li>DevDetail<li>OMA DM DMS account objects (OMA DM version 1.2)|
|Security|<li>Authenticate DM server initiation notification SMS message (not used by enterprise management)<li>Application layer Basic and MD5 client authentication<li>Authenticate server with MD5 credential at application level<li>Data integrity and authentication with HMAC at application level<li>SSL level certificate-based client/server authentication, encryption, and data integrity check|
|Nodes|In the OMA DM tree, the following rules apply for the node name:<br/><li>"." can be part of the node name.<li>The node name cannot be empty.<li>The node name cannot be only the asterisk (*) character.|
|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).<br/><br/>If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.<div class="alert">**Note**<br>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</div>|
|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
|Nodes|In the OMA DM tree, the following rules apply for the node name:<br/><li>"." can be part of the node name.<li>The node name can't be empty.<li>The node name cant be only the asterisk (*) character.|
|Provisioning Files|Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf).<br/><br/>If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.<div class="alert">**Note**<br>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</div>|
|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.|
|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
@ -52,7 +52,7 @@ Common elements are used by other OMA DM element types. The following table list
|MsgID|Specifies a unique identifier for an OMA DM session message.|
|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
|RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.</div>|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.</div>|
|Source|Specifies the message source address.|
|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|
@ -106,7 +106,7 @@ For CSPs and policies that support per user configuration, the MDM server can se
The data part of this alert could be one of following strings:
- User the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
- Others another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
- Others another user login but that user doesn't have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
- None no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login).
Below is an alert example:
@ -125,7 +125,7 @@ Below is an alert example:
</Alert>
```
The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management nodes LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration.
The server notifies the device whether it's a user targeted or device targeted configuration by a prefix to the management nodes LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it's device targeted configuration.
The following LocURL shows a per user CSP node configuration: **./user/vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/&lt;PackageFamilyName&gt;/StoreInstall**
@ -135,13 +135,13 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
<a href="" id="syncml-response-codes"></a>
## SyncML response status codes
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
| Status code | Description |
|---|----|
| 200 | The SyncML command completed successfully. |
| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. |
| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. |
| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs don't typically generate this. |
| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. |
| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. |
| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |

10
windows/client-management/mdm/passportforwork-csp.md
View File

@ -88,7 +88,7 @@ PassportForWork
Root node for PassportForWork configuration service provider.
<a href="" id="tenantid"></a>***TenantId***
A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
<a href="" id="tenantid-policies"></a>***TenantId*/Policies**
Node for defining the Windows Hello for Business policy settings.
@ -103,7 +103,7 @@ Supported operations are Add, Get, Delete, and Replace.
<a href="" id="tenantid-policies-requiresecuritydevice"></a>***TenantId*/Policies/RequireSecurityDevice**
Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices.
Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you dont configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
Supported operations are Add, Get, Delete, and Replace.
@ -126,7 +126,7 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
If you disable or don't configure this policy setting, the PIN recovery secret won't be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
Supported operations are Add, Get, Delete, and Replace.
@ -550,7 +550,3 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
</SyncBody>
</SyncML>
```
 
 

4
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1,6 +1,6 @@
---
title: ADMX-backed policies in Policy CSP
description: ADMX-backed policies in Policy CSP
description: Learn about the ADMX-backed policies in Policy CSP.
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -980,7 +980,7 @@ ms.date: 10/08/2020
- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy)
- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy)
- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy)
- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](./policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1)
- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2)
- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1)

2
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -1,6 +1,6 @@
---
title: Policies in Policy CSP supported by Group Policy
description: Policies in Policy CSP supported by Group Policy
description: Learn about the policies in Policy CSP supported by Group Policy.
ms.reviewer:
manager: dansimp
ms.author: dansimp

2
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
View File

@ -1,6 +1,6 @@
---
title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
description: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite.
ms.reviewer:
manager: dansimp
ms.author: dansimp

2
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
View File

@ -1,6 +1,6 @@
---
title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
description: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition.
ms.reviewer:
manager: dansimp
ms.author: dansimp

2
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -1,6 +1,6 @@
---
title: Policies in Policy CSP supported by HoloLens 2
description: Policies in Policy CSP supported by HoloLens 2
description: Learn about the policies in Policy CSP supported by HoloLens 2.
ms.reviewer:
manager: dansimp
ms.author: dansimp

2
windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
View File

@ -1,6 +1,6 @@
---
title: Policies in Policy CSP supported by Windows 10 IoT Core
description: Policies in Policy CSP supported by Windows 10 IoT Core
description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core.
ms.reviewer:
manager: dansimp
ms.author: dansimp

2
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -1,6 +1,6 @@
---
title: Policies in Policy CSP supported by Microsoft Surface Hub
description: Policies in Policy CSP supported by Microsoft Surface Hub
description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub.
ms.reviewer:
manager: dansimp
ms.author: dansimp

2
windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
View File

@ -1,6 +1,6 @@
---
title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS)
description: Policies in Policy CSP that can be set using Exchange Active Sync (EAS)
description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS).
ms.reviewer:
manager: dansimp
ms.author: dansimp

93
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP
description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10.
description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11.
ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F
ms.reviewer:
manager: dansimp
@ -16,27 +16,29 @@ ms.collection: highpri
# Policy CSP
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 11. Use this configuration service provider to configure any company policies.
The Policy configuration service provider has the following sub-categories:
- Policy/Config/*AreaName* Handles the policy configuration request from the server.
- Policy/Result/*AreaName* Provides a read-only path to policies enforced on the device.
- Policy/Config/*AreaName* Handles the policy configuration request from the server.
- Policy/Result/*AreaName* Provides a read-only path to policies enforced on the device.
<a href="" id="policy-scope"></a>
> [!Important]
> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.
> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.
>
> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths:
> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths:
>
> User scope:
> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
>
> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
>
> Device scope:
> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
>
> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
>
> For device wide configuration the **_Device/_** portion may be omitted from the path, deeming the following paths respectively equivalent to the paths provided above:
>
@ -65,89 +67,88 @@ Policy
<a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**
<p>The root node for the Policy configuration service provider.
The root node for the Policy configuration service provider.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="policy-config"></a>**Policy/Config**
<p>Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="policy-config-areaname"></a>**Policy/Config/_AreaName_**
<p>The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
<p>Supported operations are Add, Get, and Delete.
Supported operations are Add, Get, and Delete.
<a href="" id="policy-config-areaname-policyname"></a>**Policy/Config/_AreaName/PolicyName_**
<p>Specifies the name/value pair used in the policy.
Specifies the name/value pair used in the policy.
<p>The following list shows some tips to help you when configuring policies:
The following list shows some tips to help you when configuring policies:
- Separate substring values by the Unicode &\#xF000; in the XML file.
- Separate substring values by the Unicode &\#xF000; in the XML file.
> [!NOTE]
> A query from a different caller could provide a different value as each caller could have different values for a named policy.
> [!NOTE]
> A query from a different caller could provide a different value as each caller could have different values for a named policy.
- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
- Supported operations are Add, Get, Delete, and Replace.
- Value type is string.
- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
- Supported operations are Add, Get, Delete, and Replace.
- Value type is string.
<a href="" id="policy-result"></a>**Policy/Result**
<p>Groups the evaluated policies from all providers that can be configured.
Groups the evaluated policies from all providers that can be configured.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="policy-result-areaname"></a>**Policy/Result/_AreaName_**
<p>The area group that can be configured by a single technology independent of the providers.
The area group that can be configured by a single technology independent of the providers.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="policy-result-areaname-policyname"></a>**Policy/Result/_AreaName/PolicyName_**
<p>Specifies the name/value pair used in the policy.
Specifies the name/value pair used in the policy.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="policy-result"></a>**Policy/ConfigOperations**
<p>Added in Windows 10, version 1703. The root node for grouping different configuration operations.
Added in Windows 10, version 1703. The root node for grouping different configuration operations.
<p>Supported operations are Add, Get, and Delete.
Supported operations are Add, Get, and Delete.
<a href="" id="policy-configoperations-admxinstall"></a>**Policy/ConfigOperations/ADMXInstall**
<p>Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall</code>. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see <a href="win32-and-centennial-app-policy-configuration.md" data-raw-source="[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)">Win32 and Desktop Bridge app policy configuration</a>.
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall</code>. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
<p>ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}</code>.
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}</code>.
<p>Supported operations are Add, Get, and Delete.
Supported operations are Add, Get, and Delete.
<a href="" id="policy-configoperations-admxinstall-appname"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_**
<p>Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
<p>Supported operations are Add, Get, and Delete.
Supported operations are Add, Get, and Delete.
<a href="" id="policy-configoperations-admxinstall-appname-policy"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
<p>Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
<p>Supported operations are Add, Get, and Delete.
Supported operations are Add, Get, and Delete.
<a href="" id="policy-configoperations-admxinstall-appname-policy-uniqueid"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
<p>Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
<p>Supported operations are Add and Get. Does not support Delete.
Supported operations are Add and Get. Does not support Delete.
<a href="" id="policy-configoperations-admxinstall-appname-preference"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
<p>Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
<p>Supported operations are Add, Get, and Delete.
Supported operations are Add, Get, and Delete.
<a href="" id="policy-configoperations-admxinstall-appname-preference-uniqueid"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
<p>Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
<p>Supported operations are Add and Get. Does not support Delete.
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
Supported operations are Add and Get. Does not support Delete.
## Policies

5
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - AboveLock
<hr/>
<!--Policies-->
@ -123,3 +121,6 @@ The following list shows the supported values:
<!--/Policies-->
## Related topics
[Policy CSP](policy-configuration-service-provider.md)

8
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Accounts
description: Learn about the Policy configuration service provider (CSP). This articles describes account policies.
description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -169,4 +169,8 @@ The following list shows the supported values:
<!--/Policies-->
<!--/Policies-->
## Related topics
[Policy CSP](policy-configuration-service-provider.md)

6
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -67,7 +67,8 @@ If you enable this setting, the administrator can create a list of approved Acti
If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
Note: Wild card characters cannot be used when specifying the host URLs.
>[!Note]
> Wild card characters cannot be used when specifying the host URLs.
<!--/Description-->
@ -85,3 +86,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_ActiveXInstallService
description: Policy CSP - ADMX_ActiveXInstallService
description: Learn about the Policy CSP - ADMX_ActiveXInstallService.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -89,3 +89,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

39
windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_AddRemovePrograms
description: Policy CSP - ADMX_AddRemovePrograms
description: Learn about the Policy CSP - ADMX_AddRemovePrograms.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -93,7 +93,7 @@ The policy setting specifies the category of programs that appears when users op
To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.
If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need.
If you disable this setting or don't configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they're most likely to need.
> [!NOTE]
> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled.
@ -150,7 +150,7 @@ ADMX Info:
This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components.
If you disable this setting or don't configure it, the "Add a program from CD-ROM or floppy disk" option will be available to all users. This setting doesn't prevent users from using other tools and methods to add or remove program components.
> [!NOTE]
> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
@ -207,7 +207,7 @@ ADMX Info:
This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update.
If you disable this setting or don't configure it, "Add programs from Microsoft" is available to all users. This setting doesn't prevent users from using other tools and methods to connect to Windows Update.
> [!NOTE]
> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
@ -265,9 +265,9 @@ ADMX Info:
This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.
If you enable this setting, users can't tell which programs have been published by the system administrator, and they can't use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.
If you disable this setting or do not configure it, "Add programs from your network" is available to all users.
If you disable this setting or don't configure it, "Add programs from your network" is available to all users.
> [!NOTE]
> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
@ -322,9 +322,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs.
If you disable this setting or don't configure it, the Add New Programs button will be available to all users. This setting doesn't prevent users from using other tools and methods to install programs.
<!--/Description-->
@ -379,7 +379,7 @@ ADMX Info:
This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
If you disable this setting or don't configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting doesn't prevent users from using other tools and methods to install or uninstall programs.
<!--/Description-->
@ -432,9 +432,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
If you disable this setting or don't configure it, the Set Program Access and Defaults button is available to all users. This setting doesn't prevent users from using other tools and methods to change program access or defaults. This setting doesn't prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
<!--/Description-->
@ -488,9 +488,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
If you disable this setting or don't configure it, the Change or Remove Programs page is available to all users. This setting doesn't prevent users from using other tools and methods to delete or uninstall programs.
<!--/Description-->
@ -543,9 +543,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that haven't been configured and offers users easy access to the configuration tools.
If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services.
If you disable this setting or don't configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting doesn't prevent users from using other methods to configure services.
> [!NOTE]
> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
@ -603,7 +603,7 @@ ADMX Info:
This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
If you disable this setting or do not configure it, the Support Info hyperlink appears.
If you disable this setting or don't configure it, the Support Info hyperlink appears.
> [!NOTE]
> Not all programs provide a support information hyperlink.
@ -658,9 +658,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
If you disable this setting or don't configure it, the Add/Remove Windows Components button is available to all users. This setting doesn't prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
<!--/Description-->
@ -687,3 +687,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-admpwd.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_AdmPwd
description: Policy CSP - ADMX_AdmPwd
description: Learn about the Policy CSP - ADMX_AdmPwd.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -73,7 +73,7 @@ manager: dansimp
When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy.
When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy.
<!--/Description-->
<!--ADMXBacked-->
@ -160,7 +160,7 @@ ADMX Info:
When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy.
When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy.
<!--/Description-->
<!--ADMXBacked-->
@ -225,3 +225,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

33
windows/client-management/mdm/policy-csp-admx-appcompat.md
View File

@ -98,7 +98,7 @@ This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.e
You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.
If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run.
If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components can't run.
If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer.
@ -151,7 +151,7 @@ This policy setting controls the visibility of the Program Compatibility propert
The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications.
Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface.
Enabling this policy setting removes the property page from the context-menus, but doesn't affect previous compatibility settings applied to application using this interface.
<!--/Description-->
@ -247,13 +247,13 @@ ADMX Info:
<!--Description-->
The policy setting controls the state of the Switchback compatibility engine in the system.
Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications.
Switchback is a mechanism that provides generic compatibility mitigation to older applications by providing older behavior to old applications and new behavior to new applications.
Switchback is on by default.
If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using.
If you enable this policy setting, Switchback will be turned off. Turning off Switchback may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they're using.
If you disable or do not configure this policy setting, the Switchback will be turned on.
If you disable or don't configure this policy setting, the Switchback will be turned on.
Reboot the system after changing the setting to ensure that your system accurately reflects those changes.
<!--/Description-->
@ -298,13 +298,13 @@ ADMX Info:
<!--Description-->
This policy setting controls the state of the application compatibility engine in the system.
The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem.
The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a known problem.
Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed.
Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed.
The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly.
The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations won't be applied to applications and their installers and these applications may fail to install or run properly.
This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they're using. It's particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
> [!NOTE]
> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes.
@ -350,7 +350,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
This policy setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
<!--/Description-->
@ -395,9 +395,9 @@ ADMX Info:
<!--Description-->
This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues.
If you enable this policy setting, the PCA will be turned off. The user won't be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues.
If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
If you disable or don't configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
> [!NOTE]
> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
@ -449,7 +449,7 @@ Steps Recorder keeps a record of steps taken by the user. The data generated by
If you enable this policy setting, Steps Recorder will be disabled.
If you disable or do not configure this policy setting, Steps Recorder will be enabled.
If you disable or don't configure this policy setting, Steps Recorder will be enabled.
<!--/Description-->
@ -496,9 +496,9 @@ This policy setting controls the state of the Inventory Collector.
The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems.
If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled.
If you enable this policy setting, the Inventory Collector will be turned off and data won't be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled.
If you disable or do not configure this policy setting, the Inventory Collector will be turned on.
If you disable or don't configure this policy setting, the Inventory Collector will be turned on.
> [!NOTE]
> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
@ -519,3 +519,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

20
windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_AppxPackageManager
description: Policy CSP - ADMX_AppxPackageManager
description: Learn about the Policy CSP - ADMX_AppxPackageManager.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -63,16 +63,16 @@ manager: dansimp
<!--Description-->
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile.
Special profiles are the following user profiles, where changes are discarded after the user signs off:
Special profiles are the following user profiles where changes are discarded after the user signs off:
- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies
- Mandatory user profiles and super-mandatory profiles, which are created by an administrator
- Temporary user profiles, which are created when an error prevents the correct profile from loading
- User profiles for the Guest account and members of the Guests group
- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies.
- Mandatory user profiles and super-mandatory profiles, which are created by an administrator.
- Temporary user profiles, which are created when an error prevents the correct profile from loading.
- User profiles for the Guest account and members of the Guests group.
If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile.
If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
<!--/Description-->
@ -89,4 +89,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

23
windows/client-management/mdm/policy-csp-admx-appxruntime.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_AppXRuntime
description: Policy CSP - ADMX_AppXRuntime
description: Learn about the Policy CSP - ADMX_AppXRuntime.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -72,7 +72,7 @@ manager: dansimp
<!--Description-->
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
If you enable this policy setting, you can define more Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
@ -117,11 +117,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
<!--/Description-->
@ -164,9 +164,9 @@ ADMX Info:
<!--Description-->
This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected.
If you enable this policy setting, Universal Windows apps that declare Windows Runtime API access in ApplicationContentUriRules section of the manifest can't be launched; Universal Windows apps that haven't declared Windows Runtime API access in the manifest aren't affected.
If you disable or do not configure this policy setting, all Universal Windows apps can be launched.
If you disable or don't configure this policy setting, all Universal Windows apps can be launched.
> [!WARNING]
> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues.
@ -211,11 +211,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
> [!NOTE]
> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
@ -236,3 +236,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

29
windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_AttachmentManager
description: Policy CSP - ADMX_AttachmentManager
description: Learn about the Policy CSP - ADMX_AttachmentManager.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -77,13 +77,13 @@ This policy setting allows you to configure the logic that Windows uses to deter
Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files.
Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options.
Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation that will cause users to see more trust prompts than choosing the other options.
If you enable this policy setting, you can choose the order in which Windows processes risk assessment data.
If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
If you don't configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
<!--/Description-->
@ -126,17 +126,15 @@ ADMX Info:
<!--Description-->
This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.
High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.
Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.
Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information.
- High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.
- Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.
- Low Risk: If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information.
If you enable this policy setting, you can specify the default risk level for file types.
If you disable this policy setting, Windows sets the default risk level to moderate.
If you do not configure this policy setting, Windows sets the default risk level to moderate.
If you don't configure this policy setting, Windows sets the default risk level to moderate.
<!--/Description-->
@ -183,7 +181,7 @@ If you enable this policy setting, you can create a custom list of high-risk fil
If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk.
If you do not configure this policy setting, Windows uses its built-in list of high-risk file types.
If you don't configure this policy setting, Windows uses its built-in list of high-risk file types.
<!--/Description-->
@ -224,13 +222,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types that pose a low risk.
If you disable this policy setting, Windows uses its default trust logic.
If you do not configure this policy setting, Windows uses its default trust logic.
If you don't configure this policy setting, Windows uses its default trust logic.
<!--/Description-->
@ -273,11 +271,11 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types which pose a moderate risk.
If you enable this policy setting, you can specify file types that pose a moderate risk.
If you disable this policy setting, Windows uses its default trust logic.
If you do not configure this policy setting, Windows uses its default trust logic.
If you don't configure this policy setting, Windows uses its default trust logic.
<!--/Description-->
@ -294,3 +292,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

7
windows/client-management/mdm/policy-csp-admx-auditsettings.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_AuditSettings
description: Policy CSP - ADMX_AuditSettings
description: Learn about the Policy CSP - ADMX_AuditSettings.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -65,7 +65,7 @@ This policy setting determines what information is logged in security audit even
If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.
If you disable or don't configure this policy setting, the process's command line information will not be included in Audit Process Creation events.
Default is Not configured.
@ -88,3 +88,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

47
windows/client-management/mdm/policy-csp-admx-bits.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Bits
description: Policy CSP - ADMX_Bits
description: Learn about the Policy CSP - ADMX_Bits.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -102,9 +102,9 @@ manager: dansimp
<!--Description-->
This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default.
If you enable this policy setting, the BITS client does not use Windows Branch Cache.
If you enable this policy setting, the BITS client doesn't use Windows Branch Cache.
If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache.
If you disable or don't configure this policy setting, the BITS client uses Windows Branch Cache.
> [!NOTE]
> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely.
@ -152,7 +152,7 @@ This policy setting specifies whether the computer will act as a BITS peer cachi
If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers.
If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server.
If you disable or don't configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server.
> [!NOTE]
> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
@ -201,7 +201,7 @@ This policy setting specifies whether the computer will act as a BITS peer cachi
If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers.
If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers.
If you disable or don't configure this policy setting, the computer will offer downloaded and cached files to its peers.
> [!NOTE]
> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
@ -251,9 +251,9 @@ This policy setting determines if the Background Intelligent Transfer Service (B
If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server.
If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect.
If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it's possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect.
If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server.
If you disable or don't configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server.
<!--/Description-->
@ -296,15 +296,15 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server).
This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting doesn't affect transfers from the origin server).
To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps.
To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100-Mbps network card and a 56-Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps.
You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching.
If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching.
If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used.
If you disable this policy setting or don't configure it, the default value of 30 percent of the slowest active network interface will be used.
> [!NOTE]
> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
@ -354,7 +354,7 @@ If you enable this policy setting, you can define a separate set of network band
You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
If you disable or do not configure this policy setting, the limits defined for work or non-work schedules will be used.
If you disable or don't configure this policy setting, the limits defined for work or non-work schedules will be used.
> [!NOTE]
> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.
@ -399,13 +399,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours.
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that aren't defined in a work schedule are considered non-work hours.
If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours.
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
<!--/Description-->
@ -451,7 +451,7 @@ This policy setting limits the maximum amount of disk space that can be used for
If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent.
If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size.
If you disable or don't configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size.
> [!NOTE]
> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
@ -495,11 +495,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days.
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that haven't been accessed in the past 90 days.
If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days.
If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache.
If you disable or don't configure this policy setting, files that haven't been accessed for the past 90 days will be removed from the peer cache.
> [!NOTE]
> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured.
@ -551,7 +551,7 @@ By default BITS uses a maximum download time of 90 days (7,776,000 seconds).
If you enable this policy setting, you can set the maximum job download time to a specified number of seconds.
If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used.
If you disable or don't configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used.
<!--/Description-->
@ -593,11 +593,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain.
This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS job can contain.
If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number.
If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain.
If you disable or don't configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain.
> [!NOTE]
> BITS Jobs created by services and the local administrator account do not count toward this limit.
@ -646,7 +646,7 @@ This policy setting limits the number of BITS jobs that can be created for all u
If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number.
If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs.
If you disable or don't configure this policy setting, BITS will use the default BITS job limit of 300 jobs.
> [!NOTE]
> BITS jobs created by services and the local administrator account do not count toward this limit.
@ -695,7 +695,7 @@ This policy setting limits the number of BITS jobs that can be created by a user
If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number.
If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs.
If you disable or don't configure this policy setting, BITS will use the default user BITS job limit of 300 jobs.
> [!NOTE]
> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit.
@ -744,7 +744,7 @@ This policy setting limits the number of ranges that can be added to a file in a
If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number.
If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file.
If you disable or don't configure this policy setting, BITS will limit ranges to 500 ranges per file.
> [!NOTE]
> BITS Jobs created by services and the local administrator account do not count toward this limit.
@ -766,3 +766,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

8
windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_CipherSuiteOrder
description: Policy CSP - ADMX_CipherSuiteOrder
description: Learn about the Policy CSP - ADMX_CipherSuiteOrder.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -146,4 +146,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

17
windows/client-management/mdm/policy-csp-admx-com.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_COM
description: Policy CSP - ADMX_COM
description: Learn about the Policy CSP - ADMX_COM.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -66,11 +66,11 @@ manager: dansimp
<!--Description-->
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components.
If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly.
If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly.
If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.
If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
@ -118,11 +118,11 @@ ADMX Info:
<!--Description-->
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components.
If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly.
If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly.
If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.
If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
@ -141,3 +141,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

16
windows/client-management/mdm/policy-csp-admx-controlpanel.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_ControlPanel
description: Policy CSP - ADMX_ControlPanel
description: Learn about the Policy CSP - ADMX_ControlPanel.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -82,7 +82,9 @@ To hide a Control Panel item, enable this policy setting and click Show to acces
If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored.
> [!NOTE]
> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead.
>
>To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
<!--/Description-->
@ -130,7 +132,7 @@ If this policy setting is enabled, the Control Panel opens to the icon view.
If this policy setting is disabled, the Control Panel opens to the category view.
If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session.
If this policy setting isn't configured, the Control Panel opens to the view used in the last Control Panel session.
> [!NOTE]
> Icon size is dependent upon what the user has set it to in the previous session.
@ -177,7 +179,7 @@ ADMX Info:
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app.
This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items.
This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users can't start Control Panel or PC settings, or run any of their items.
This setting removes Control Panel from:
@ -260,4 +262,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

122
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_ControlPanelDisplay
description: Policy CSP - ADMX_ControlPanelDisplay
description: Learn about the Policy CSP - ADMX_ControlPanelDisplay.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -130,9 +130,9 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Disables the Display Control Panel.
This policy setting disables the Display Control Panel.
If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.
If you enable this setting, the Display Control Panel doesn't run. When users try to start Display, a message appears explaining that a setting prevents the action.
Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
@ -176,7 +176,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Removes the Settings tab from Display in Control Panel.
This setting removes the Settings tab from Display in Control Panel.
This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer.
@ -222,9 +222,9 @@ ADMX Info:
<!--Description-->
This setting forces the theme color scheme to be the default color scheme.
If you enable this setting, a user cannot change the color scheme of the current desktop theme.
If you enable this setting, a user can't change the color scheme of the current desktop theme.
If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme.
If you disable or don't configure this setting, a user may change the color scheme of the current desktop theme.
For Windows 7 and later, use the "Prevent changing color and appearance" setting.
@ -269,12 +269,12 @@ ADMX Info:
<!--Description-->
This setting disables the theme gallery in the Personalization Control Panel.
If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off).
If you enable this setting, users can't change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off).
If you disable or do not configure this setting, there is no effect.
If you disable or don't configure this setting, there's no effect.
> [!NOTE]
> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default.
> If you enable this setting but don't specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default.
<!--/Description-->
@ -315,7 +315,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.
This policy setting prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.
When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties.
@ -360,11 +360,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Enables desktop screen savers.
This policy setting enables desktop screen savers.
If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options.
If you disable this setting, screen savers don't run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users can't change the screen saver options.
If you do not configure it, this setting has no effect on the system.
If you don't configure it, this setting has no effect on the system.
If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel.
@ -409,15 +409,16 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens.
This setting allows you to force a specific default lock screen and sign-in image by entering the path (location) of the image file. The same image will be used for both the lock and sign-in screens.
This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image).
This setting lets you specify the default lock screen and sign-in image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image).
To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`.
To use this setting, type the fully qualified path and name of the file that stores the default lock screen and sign-in image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`.
This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown.
This setting can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and sign-in image to be shown.
Note: This setting only applies to Enterprise, Education, and Server SKUs.
>[!NOTE]
> This setting only applies to Enterprise, Education, and Server SKUs.
<!--/Description-->
@ -459,11 +460,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from changing the size of the font in the windows and buttons displayed on their screens.
This setting prevents users from changing the size of the font in the windows and buttons displayed on their screens.
If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled.
If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab.
If you disable or don't configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab.
<!--/Description-->
@ -504,11 +505,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from changing the background image shown when the machine is locked or when on the logon screen.
Prevents users from changing the background image shown when the machine is locked or when on the sign-in screen.
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
By default, users can change the background image shown when the machine is locked or displaying the sign-in screen.
If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image.
If you enable this setting, the user won't be able to change their lock screen and sign-in image, and they'll instead see the default image.
<!--/Description-->
@ -549,11 +550,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from changing the look of their start menu background, such as its color or accent.
This setting prevents users from changing the look of their start menu background, such as its color or accent.
By default, users can change the look of their start menu background, such as its color or accent.
If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them.
If you enable this setting, the user will be assigned the default start menu background and colors and won't be allowed to change them.
If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy.
@ -598,13 +599,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available.
This setting disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature isn't available.
This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.
This setting also prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.
If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel.
For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel.
For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the Display in Control Panel.
<!--/Description-->
@ -645,7 +646,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from adding or changing the background design of the desktop.
This setting prevents users from adding or changing the background design of the desktop.
By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop.
@ -653,7 +654,8 @@ If you enable this setting, none of the Desktop Background settings can be chang
To specify wallpaper for a group, use the "Desktop Wallpaper" setting.
Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information.
>[!NOTE]
>You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information.
Also, see the "Allow only bitmapped wallpaper" setting.
@ -696,7 +698,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from changing the desktop icons.
This setting prevents users from changing the desktop icons.
By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons.
@ -745,9 +747,9 @@ ADMX Info:
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users.
If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
If you enable this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
If you disable or don't configure this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
<!--/Description-->
@ -788,7 +790,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the mouse pointers.
Available in the latest Windows 10 Insider Preview Build. This setting prevents users from changing the mouse pointers.
By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers.
@ -833,9 +835,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel.
This setting prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel.
This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running.
This setting also prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It doesn't prevent a screen saver from running.
<!--/Description-->
@ -876,7 +878,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from changing the sound scheme.
This setting prevents users from changing the sound scheme.
By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme.
@ -921,11 +923,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.
This setting forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.
By default, users can change the background and accent colors.
If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users can't change those colors. This setting won't be applied if the specified colors don't meet a contrast ratio of 2:1 with white text.
<!--/Description-->
@ -966,13 +968,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Determines whether screen savers used on the computer are password protected.
This setting determines whether screen savers used on the computer are password protected.
If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.
If you enable this setting, all screen savers are password protected. If you disable this setting, password protection can't be set on any screen saver.
This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting.
If you do not configure this setting, users can choose whether or not to set password protection on each screen saver.
If you don't configure this setting, users can choose whether or not to set password protection on each screen saver.
To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting.
@ -1020,17 +1022,15 @@ ADMX Info:
<!--Description-->
Specifies how much user idle time must elapse before the screen saver is launched.
When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.
When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver won't be started.
This setting has no effect under any of the following circumstances:
- The setting is disabled or not configured.
- The wait time is set to zero.
- The "Enable Screen Saver" setting is disabled.
- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client.
- The "Screen saver executable name" setting and the Screen Saver dialog of the client computer's Personalization or Display Control Panel don't specify a valid existing screen saver program on the client.
When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes.
@ -1073,18 +1073,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the screen saver for the user's desktop.
This setting specifies the screen saver for the user's desktop.
If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver.
If you disable this setting or do not configure it, users can select any screen saver.
If you disable this setting or don't configure it, users can select any screen saver.
If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.
If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file isn't in the %Systemroot%\System32 directory, type the fully qualified path to the file.
If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.
If the specified screen saver isn't installed on a computer to which this setting applies, the setting is ignored.
> [!NOTE]
> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run.
> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers don't run.
<!--/Description-->
@ -1127,9 +1127,9 @@ ADMX Info:
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on.
If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon.
If you enable this setting, the theme that you specify will be applied when a new user signs in for the first time. This policy doesn't prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first sign in.
If you disable or do not configure this setting, the default theme will be applied at the first logon.
If you disable or don't configure this setting, the default theme will be applied at the first sign in.
<!--/Description-->
@ -1172,18 +1172,18 @@ ADMX Info:
<!--Description-->
This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.
This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles).
This file can be a local computer visual style (aero.msstyles) one, or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles).
If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes.
If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available).
If you disable or don't configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available).
> [!NOTE]
> If this setting is enabled and the file is not available at user logon, the default visual style is loaded.
> If this setting is enabled and the file isn't available at user logon, the default visual style is loaded.
>
> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles.
>
> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style.
> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you can't apply the Windows Classic visual style.
<!--/Description-->
@ -1228,7 +1228,7 @@ Forces the Start screen to use one of the available backgrounds, 1 through 20, a
If this setting is set to zero or not configured, then Start uses the default background, and users can change it.
If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used.
If this setting is set to a nonzero value, then Start uses the specified background, and users can't change it. If the specified background isn't supported, the default background is used.
<!--/Description-->
@ -1244,4 +1244,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

62
windows/client-management/mdm/policy-csp-admx-credssp.md
View File

@ -95,9 +95,9 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via NTLM.
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first signing in to Windows).
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine.
If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -152,11 +152,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first logging on to Windows).
The policy becomes effective the next time the user signs on to a computer running Windows.
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
FWlink for KB:
https://go.microsoft.com/fwlink/?LinkId=301508
@ -215,14 +215,14 @@ Some versions of the CredSSP protocol are vulnerable to an encryption oracle att
If you enable this policy setting, CredSSP version support will be selected based on the following options:
- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients.
- Force Updated Clients: Client applications that use CredSSP won't be able to fall back to the insecure versions and services using CredSSP won't accept unpatched clients.
> [!NOTE]
> This setting should not be deployed until all remote hosts support the newest version.
- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
- Mitigated: Client applications that use CredSSP won't be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
- Vulnerable: Client applications that use CredSSP will expose the remote servers to attacks by supporting a fallback to the insecure versions and services using CredSSP will accept unpatched clients.
For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660
@ -269,11 +269,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN.
@ -327,11 +327,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via NTLM.
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -385,11 +385,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
If you disable this policy setting, delegation of saved credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -443,11 +443,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via NTLM.
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine isn't a member of any domain. If the client is domain-joined, by default, the delegation of saved credentials isn't permitted to any machine.
If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
If you disable this policy setting, delegation of saved credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -499,12 +499,12 @@ ADMX Info:
<!--Description-->
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows).
If you enable this policy setting, you can specify the servers to which the user's default credentials can't be delegated (default credentials are those credentials that you use when first logging on to Windows).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server.
> [!NOTE]
> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN.
>
> For Example:
>
@ -555,12 +555,12 @@ ADMX Info:
<!--Description-->
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can't be delegated (fresh credentials are those credentials that you're prompted for when executing the application).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server.
> [!NOTE]
> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN.
>
> For Example:
>
@ -611,12 +611,12 @@ ADMX Info:
<!--Description-->
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you enable this policy setting, you can specify the servers to which the user's saved credentials can't be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server.
> [!NOTE]
> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN.
>
> For Example:
>
@ -665,7 +665,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device.
When the participating applications are running in Restricted Admin or Remote Credential Guard mode, participating applications don't expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials aren't delegated. Remote Credential Guard doesn't limit access to resources because it redirects all requests back to the client device.
Participating apps:
Remote Desktop Client
@ -676,12 +676,12 @@ If you enable this policy setting, the following options are supported:
- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts.
- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts.
If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices.
If you disable or don't configure this policy setting, Restricted Admin and Remote Credential Guard mode aren't enforced and participating apps can delegate credentials to remote devices.
> [!NOTE]
> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation).
>
> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.
> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions don't support Remote Credential Guard.
<!--/Description-->

6
windows/client-management/mdm/policy-csp-admx-credui.md
View File

@ -69,9 +69,9 @@ This policy setting requires the user to enter Microsoft Windows credentials usi
> [!NOTE]
> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.
If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism.
If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop through the trusted path mechanism.
If you disable or do not configure this policy setting, users will enter Windows credentials within the users desktop session, potentially allowing malicious code access to the users Windows credentials.
If you disable or don't configure this policy setting, users will enter Windows credentials within the users desktop session, potentially allowing malicious code access to the users Windows credentials.
<!--/Description-->
@ -112,7 +112,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users wont be able to set up and use security questions to reset their passwords.
Available in the latest Windows 10 Insider Preview Build. If you turn on this policy setting, local users wont be able to set up and use security questions to reset their passwords.
<!--/Description-->

16
windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
View File

@ -72,7 +72,7 @@ manager: dansimp
<!--Description-->
This policy setting prevents users from changing their Windows password on demand.
If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
If you enable this policy setting, the **Change Password** button on the Windows Security dialog box won't appear when you press Ctrl+Alt+Del.
However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
@ -119,11 +119,11 @@ ADMX Info:
<!--Description-->
This policy setting prevents users from locking the system.
While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it.
While locked, the desktop is hidden and the system can't be used. Only the user who locked the system or the system administrator can unlock it.
If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del.
If you enable this policy setting, users can't lock the computer from the keyboard using Ctrl+Alt+Del.
If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.
If you disable or don't configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.
> [!TIP]
> To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer.
@ -170,9 +170,9 @@ This policy setting prevents users from starting Task Manager.
Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action.
If you enable this policy setting, users won't be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action.
If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
If you disable or don't configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
<!--/Description-->
@ -215,11 +215,11 @@ ADMX Info:
<!--Description-->
This policy setting disables or removes all menu items and buttons that log the user off the system.
If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu.
If you enable this policy setting, users won't see the Log off menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu.
Also, see the 'Remove Logoff on the Start Menu' policy setting.
If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
If you disable or don't configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
<!--/Description-->

4
windows/client-management/mdm/policy-csp-admx-datacollection.md
View File

@ -63,9 +63,9 @@ manager: dansimp
<!--Description-->
This policy setting defines the identifier used to uniquely associate this devices telemetry data as belonging to a given organization.
If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization.
If you disable or don't configure this policy setting, then Microsoft won't be able to use this identifier to associate this machine and its telemetry data with your organization.
<!--/Description-->

20
windows/client-management/mdm/policy-csp-admx-dcom.md
View File

@ -66,10 +66,10 @@ manager: dansimp
<!--Description-->
This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.
- If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list.
- If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list.
- If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list.
If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured.
- If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list.
If you don't configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy isn't configured.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.
@ -113,25 +113,25 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to view and change a list of DCOM server application IDs (app ids), which are exempted from the DCOM Activation security check.
This policy setting allows you to view and change a list of DCOM server application IDs (app IDs), which are exempted from the DCOM Activation security check.
DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators.
DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.
DCOM server application IDs added to this policy must be listed in curly brace format.
For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`.
If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors.
If you enter a non-existent or improperly formatted application, ID DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings.
If you add an application ID to this list and set its value to one, DCOM will not enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to zero DCOM will always enforce the Activation security check for that DCOM server regardless of local
If you add an application ID to this list and set its value to one, DCOM won't enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to 0, DCOM will always enforce the Activation security check for that DCOM server regardless of local
settings.
- If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.
If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries, then the object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid.
DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.
DCOM servers added to this exemption list are only exempted if their custom launch permissions don't contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.
> [!NOTE]
> Exemptions for DCOM Server Application IDs added to this list will apply to both 32-bit and 64-bit versions of the server if present.

102
windows/client-management/mdm/policy-csp-admx-desktop.md
View File

@ -145,13 +145,13 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying more filters to search results.
If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.
If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu.
If you disable this setting or don't configure it, the filter bar doesn't appear, but users can display it by selecting "Filter" on the "View" menu.
To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter.
To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar doesn't appear above the resulting display, on the View menu, click Filter.
<!--/Description-->
@ -197,9 +197,9 @@ Hides the Active Directory folder in Network Locations.
The Active Directory folder displays Active Directory objects in a browse window.
If you enable this setting, the Active Directory folder does not appear in the Network Locations folder.
If you enable this setting, the Active Directory folder doesn't appear in the Network Locations folder.
If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder.
If you disable this setting or don't configure it, the Active Directory folder appears in the Network Locations folder.
This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory.
@ -243,11 +243,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.
Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those displays in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.
If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search.
If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space.
If you disable this setting or don't configure it, the system displays up to 10,000 objects. This screen-display consumes approximately 2 MB of memory or disk space.
This setting is designed to protect the network and the domain controller from the effect of expansive searches.
@ -295,7 +295,7 @@ Enables Active Desktop and prevents users from disabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
@ -343,7 +343,7 @@ Disables Active Desktop and prevents users from enabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
@ -390,7 +390,7 @@ ADMX Info:
<!--Description-->
Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.
This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components.
This setting is a comprehensive one that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users can't enable or disable Active Desktop. If Active Desktop is already enabled, users can't add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components.
<!--/Description-->
@ -433,9 +433,9 @@ ADMX Info:
<!--Description-->
Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations.
Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent.
Removing icons and shortcuts doesn't prevent the user from using another method to start the programs or opening the items they represent.
Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.
Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. The removal of the Desktop icon will help prevent users from saving data to the Desktop.
<!--/Description-->
@ -479,12 +479,12 @@ ADMX Info:
<!--Description-->
Prevents users from using the Desktop Cleanup Wizard.
If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard.
If you enable this setting, the Desktop Cleanup wizard doesn't automatically run on a user's workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard.
If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs.
If you disable this setting or don't configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs.
> [!NOTE]
> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
> When this setting isn't enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
<!--/Description-->
@ -528,7 +528,7 @@ ADMX Info:
<!--Description-->
Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.
This setting does not prevent the user from starting Internet Explorer by using other methods.
This setting doesn't prevent the user from starting Internet Explorer by using other methods.
<!--/Description-->
@ -576,10 +576,10 @@ If you enable this setting, Computer is hidden on the desktop, the new Start men
If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.
If you do not configure this setting, the default is to display Computer as usual.
If you don't configure this setting, the default is to display Computer as usual.
> [!NOTE]
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents doesn't hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
<!--/Description-->
@ -625,9 +625,9 @@ Removes most occurrences of the My Documents icon.
This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder.
This setting doesn't prevent the user from using other methods to gain access to the contents of the My Documents folder.
This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting.
This setting doesn't remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting.
> [!NOTE]
> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional.
@ -673,7 +673,7 @@ ADMX Info:
<!--Description-->
Removes the Network Locations icon from the desktop.
This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network.
This setting only affects the desktop icon. It doesn't prevent users from connecting to the network or browsing for shared computers on the network.
> [!NOTE]
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon.
@ -720,9 +720,9 @@ ADMX Info:
<!--Description-->
This setting hides Properties on the context menu for Computer.
If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected.
If you enable this setting, the Properties option won't be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected.
If you disable or do not configure this setting, the Properties option is displayed as usual.
If you disable or don't configure this setting, the Properties option is displayed as usual.
<!--/Description-->
@ -766,13 +766,13 @@ ADMX Info:
<!--Description-->
This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.
If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following:
If you enable this policy setting, the Properties menu command won't be displayed when the user does any of the following tasks:
- Right-clicks the My Documents icon.
- Clicks the My Documents icon, and then opens the File menu.
- Clicks the My Documents icon, and then presses ALT+ENTER.
If you disable or do not configure this policy setting, the Properties menu command is displayed.
If you disable or don't configure this policy setting, the Properties menu command is displayed.
<!--/Description-->
@ -814,11 +814,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.
Remote shared folders aren't added to Network Locations whenever you open a document in the shared folder.
If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations.
If you disable this setting or don't configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations.
If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder.
If you enable this setting, shared folders aren't added to Network Locations automatically when you open a document in the shared folder.
<!--/Description-->
@ -864,7 +864,7 @@ Removes most occurrences of the Recycle Bin icon.
This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.
This setting doesn't prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.
> [!NOTE]
> To make changes to this setting effective, you must log off and then log back on.
@ -910,9 +910,9 @@ ADMX Info:
<!--Description-->
Removes the Properties option from the Recycle Bin context menu.
If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.
If you enable this setting, the Properties option won't be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.
If you disable or do not configure this setting, the Properties option is displayed as usual.
If you disable or don't configure this setting, the Properties option is displayed as usual.
<!--/Description-->
@ -956,7 +956,7 @@ ADMX Info:
<!--Description-->
Prevents users from saving certain changes to the desktop.
If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, aren't saved when users sign out. However, shortcuts placed on the desktop are always saved.
<!--/Description-->
@ -1000,9 +1000,9 @@ ADMX Info:
<!--Description-->
Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse.
If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse.
If you enable this policy, application windows won't be minimized or restored when the active window is shaken back and forth with the mouse.
If you disable or do not configure this policy, this window minimizing and restoring gesture will apply.
If you disable or don't configure this policy, this window minimizing and restoring gesture will apply.
<!--/Description-->
@ -1047,14 +1047,14 @@ Specifies the desktop background ("wallpaper") displayed on all users' desktops.
This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file.
To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification.
To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file isn't available when the user logs on, no wallpaper is displayed. Users can't specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users can't change this specification.
If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
If you disable this setting or don't configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.
> [!NOTE]
> This setting does not apply to remote desktop server sessions.
> This setting doesn't apply to remote desktop server sessions.
<!--/Description-->
@ -1097,7 +1097,7 @@ ADMX Info:
<!--Description-->
Prevents users from adding Web content to their Active Desktop.
This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content.
This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. This setting doesn't remove existing Web content from their Active Desktop, or prevent users from removing existing Web content.
Also, see the "Disable all items" setting.
@ -1142,12 +1142,12 @@ ADMX Info:
<!--Description-->
Prevents users from removing Web content from their Active Desktop.
In Active Desktop, you can add items to the desktop but close them so they are not displayed.
In Active Desktop, you can add items to the desktop but close them so they aren't displayed.
If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
If you enable this setting, items added to the desktop can't be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
> [!NOTE]
> This setting does not prevent users from deleting items from their Active Desktop.
> This setting doesn't prevent users from deleting items from their Active Desktop.
<!--/Description-->
@ -1193,7 +1193,7 @@ Prevents users from deleting Web content from their Active Desktop.
This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop.
This setting does not prevent users from adding Web content to their Active Desktop.
This setting doesn't prevent users from adding Web content to their Active Desktop.
Also, see the "Prohibit closing items" and "Disable all items" settings.
@ -1239,7 +1239,7 @@ ADMX Info:
<!--Description-->
Prevents users from changing the properties of Web content items on their Active Desktop.
This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics.
This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users can't change the properties of an item, such as its synchronization schedule, password, or display characteristics.
<!--/Description-->
@ -1283,10 +1283,10 @@ ADMX Info:
<!--Description-->
Removes Active Desktop content and prevents users from adding Active Desktop content.
This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop.
This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop.
> [!NOTE]
> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper.
> This setting doesn't disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper.
<!--/Description-->
@ -1335,10 +1335,10 @@ You can use the "Add" box in this setting to add particular Web-based items or s
You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed.
> [!NOTE]
> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again.
> Removing an item from the "Add" list for this setting isn't the same as deleting it. Items that are removed from the "Add" list aren't removed from the desktop. They are simply not added again.
> [!NOTE]
> For this setting to take affect, you must log off and log on to the system.
> For this setting to take effect, you must log off and log on to the system.
<!--/Description-->
@ -1382,7 +1382,7 @@ ADMX Info:
<!--Description-->
Prevents users from manipulating desktop toolbars.
If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
If you enable this setting, users can't add or remove toolbars from the desktop. Also, users can't drag toolbars onto or off from the docked toolbars.
> [!NOTE]
> If users have added or removed toolbars, this setting prevents them from restoring the default configuration.
@ -1432,9 +1432,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars.
Prevents users from adjusting the length of desktop toolbars. Also, users can't reposition items or toolbars on docked toolbars.
This setting does not prevent users from adding or removing toolbars on the desktop.
This setting doesn't prevent users from adding or removing toolbars on the desktop.
> [!NOTE]
> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration.
@ -1481,7 +1481,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper doesn't load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".
Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings.

4
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -65,12 +65,12 @@ This policy setting lets you deploy a Code Integrity Policy to a machine to cont
If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy.
To enable this policy the machine must be rebooted.
To enable this policy, the machine must be rebooted.
The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`),
or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`.
The local machine account (LOCAL SYSTEM) must have access permission to the policy file.
If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:
If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:
1. First update the policy to a non-protected policy and then disable the setting.
2. Disable the setting and then remove the policy from each computer, with a physically present user.

26
windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
View File

@ -86,7 +86,7 @@ This policy setting allows you to determine whether members of the Administrator
If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
If you disable or don't configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
<!--/Description-->
@ -132,7 +132,7 @@ This policy setting allows you to display a custom message to users in a notific
If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
If you disable or don't configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
<!--/Description-->
@ -178,7 +178,7 @@ This policy setting allows you to display a custom message title in a notificati
If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
If you disable or don't configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
<!--/Description-->
@ -224,7 +224,7 @@ This policy setting allows you to configure the number of seconds Windows waits
If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation.
If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
If you disable or don't configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
<!--/Description-->
@ -268,11 +268,11 @@ ADMX Info:
<!--Description-->
This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot.
If you enable this policy setting, set the number of seconds you want the system to wait until a reboot.
If you disable or do not configure this policy setting, the system does not force a reboot.
If you disable or don't configure this policy setting, the system doesn't force a reboot.
Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.
Note: If no reboot is forced, the device installation restriction right won't take effect until the system is restarted.
<!--/Description-->
@ -314,11 +314,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices can't have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
If you disable or don't configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
<!--/Description-->
@ -361,9 +361,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity.
If you enable this policy setting, Windows does not create a system restore point when one would normally be created.
If you enable this policy setting, Windows doesn't create a system restore point when one would normally be created.
If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would.
If you disable or don't configure this policy setting, Windows creates a system restore point as it normally would.
<!--/Description-->
@ -409,7 +409,7 @@ This policy setting specifies a list of device setup class GUIDs describing devi
If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.
If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system.
If you disable or don't configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system.
<!--/Description-->

8
windows/client-management/mdm/policy-csp-admx-devicesetup.md
View File

@ -66,9 +66,9 @@ manager: dansimp
<!--Description-->
This policy setting allows you to turn off "Found New Hardware" balloons during device installation.
If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.
If you enable this policy setting, "Found New Hardware" balloons don't appear while a device is being installed.
If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
If you disable or don't configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
<!--/Description-->
@ -114,9 +114,9 @@ This policy setting allows you to specify the order in which Windows searches so
If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all.
Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system.
Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system.
If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
If you disable or don't configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
<!--/Description-->

8
windows/client-management/mdm/policy-csp-admx-digitallocker.md
View File

@ -68,9 +68,9 @@ This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
If you enable this setting, Digital Locker will not run.
If you enable this setting, Digital Locker won't run.
If you disable or do not configure this setting, Digital Locker can be run.
If you disable or don't configure this setting, Digital Locker can be run.
<!--/Description-->
@ -116,9 +116,9 @@ This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
If you enable this setting, Digital Locker will not run.
If you enable this setting, Digital Locker won't run.
If you disable or do not configure this setting, Digital Locker can be run.
If you disable or don't configure this setting, Digital Locker can be run.
<!--/Description-->

14
windows/client-management/mdm/policy-csp-admx-disknvcache.md
View File

@ -67,14 +67,14 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.
This policy setting turns off the boot and resumes optimizations for the hybrid hard disks in the system.
If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.
If you enable this policy setting, the system doesn't use the non-volatile (NV) cache to optimize boot and resume.
If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume.
The system determines the data that will be stored in the NV cache to optimize boot and resume.
The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
The required data is stored in the NV cache during shutdown and hibernate, respectively. This storage in such a location might cause a slight increase in the time taken for shutdown and hibernate. If you don't configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
This policy setting is applicable only if the NV cache feature is on.
@ -119,11 +119,11 @@ This policy setting turns off all support for the non-volatile (NV) cache on all
To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache.
If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.
If you enable this policy setting, the system won't manage the NV cache and won't enable NV cache power saving mode.
If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured.
This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
This policy setting will take effect on next boot. If you don't configure this policy setting, the default behavior is to turn on support for the NV cache.
@ -170,9 +170,9 @@ This policy setting turns off the solid state mode for the hybrid hard disks.
If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache.
If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This storage allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
This usage can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
<!--/Description-->

26
windows/client-management/mdm/policy-csp-admx-diskquota.md
View File

@ -79,7 +79,7 @@ manager: dansimp
<!--Description-->
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media.
If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
If you disable or don't configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media.
@ -124,13 +124,13 @@ ADMX Info:
<!--Description-->
This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.
If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.
If you enable this policy setting, disk quota management is turned on, and users can't turn it off.
If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on.
If you disable the policy setting, disk quota management is turned off, and users can't turn it on. When this policy setting isn't configured then the disk quota management is turned off by default, and the administrators can turn it on.
To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.
This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit.
This policy setting turns on disk quota management but doesn't establish or enforce a particular disk quota limit.
To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
@ -180,9 +180,9 @@ This policy setting determines whether disk quota limits are enforced and preven
If you enable this policy setting, disk quota limits are enforced.
If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
If you disable this policy setting, disk quota limits aren't enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators can't make changes while the setting is in effect.
If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available.
If you don't configure this policy setting, the disk quota limit isn't enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available.
This policy setting overrides user settings that enable or disable quota enforcement on their volumes.
@ -232,9 +232,9 @@ This policy setting determines whether the system records an event in the local
If you enable this policy setting, the system records an event when the user reaches their limit.
If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting.
If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators can't change the setting while a setting is in effect. If you don't configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting.
This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes.
This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their limit, because their status in the Quota Entries window changes.
To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
@ -282,9 +282,9 @@ This policy setting determines whether the system records an event in the Applic
If you enable this policy setting, the system records an event.
If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect.
If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators can't change logging while a policy setting is in effect.
If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes.
If you don't configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their warning level because their status in the Quota Entries window changes.
To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
@ -332,11 +332,11 @@ This policy setting specifies the default disk quota limit and warning level for
This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit.
This setting overrides new users settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab.
This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
This policy setting applies to all new users as soon as they write to the volume. It doesn't affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
If you disable or don't configure this policy setting, the disk space available to users isn't limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it's reasonable for the range of volumes in the group.
This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas aren't enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
<!--/Description-->

2
windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
View File

@ -64,7 +64,7 @@ manager: dansimp
This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.
The DLT client can more reliably track links when allowed to use the DLT server.
This policy should not be set unless the DLT server is running on all domain controllers in the domain.
This policy shouldn't be set unless the DLT server is running on all domain controllers in the domain.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.

86
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -127,7 +127,7 @@ This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issue
If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names.
If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
If you disable this policy setting, or if you don't configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
<!--/Description-->
@ -180,7 +180,7 @@ If you enable this policy setting, suffixes are allowed to be appended to an unq
If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
<!--/Description-->
@ -225,7 +225,7 @@ This policy setting specifies a connection-specific DNS suffix. This policy sett
If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
<!--/Description-->
@ -273,22 +273,22 @@ With devolution, a DNS client creates queries by appending a single-label, unqua
The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
Devolution is not enabled if a global suffix search list is configured using Group Policy.
Devolution isn't enabled if a global suffix search list is configured using Group Policy.
If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
- The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.
If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
If you disable this policy setting or don't configure it, DNS clients use the default devolution level of two if DNS devolution is enabled.
<!--/Description-->
@ -333,9 +333,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
If this policy setting is enabled, IDNs are not converted to Punycode.
If this policy setting is enabled, IDNs aren't converted to Punycode.
If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
<!--/Description-->
@ -381,7 +381,7 @@ This policy setting specifies whether the DNS client should convert internationa
If this policy setting is enabled, IDNs are converted to the Nameprep form.
If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
If this policy setting is disabled, or if this policy setting isn't configured, IDNs aren't converted to the Nameprep form.
<!--/Description-->
@ -429,7 +429,7 @@ To use this policy setting, click Enabled, and then enter a space-delimited list
If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
<!--/Description-->
@ -475,7 +475,7 @@ This policy setting specifies that responses from link local name resolution pro
If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
If you disable this policy setting, or if you don't configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
> [!NOTE]
> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
@ -531,7 +531,7 @@ If you enable this policy setting, it supersedes the primary DNS suffix configur
You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
<!--/Description-->
@ -576,13 +576,13 @@ This policy setting specifies if a computer performing dynamic DNS registration
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This suffix-update applies to all network connections used by computers that receive this policy setting.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
<!--/Description-->
@ -631,11 +631,11 @@ If you enable this policy setting, registration of PTR records will be determine
To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
- Do not register: Computers will not attempt to register PTR resource records
- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful.
- don't register: Computers won't attempt to register PTR resource records
- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.
<!--/Description-->
@ -678,7 +678,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
@ -724,13 +724,13 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
If you disable this policy setting, existing A resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer.
<!--/Description-->
@ -774,7 +774,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
> [!WARNING]
> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
@ -783,7 +783,7 @@ To specify the registration refresh interval, click Enabled and then enter a val
If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
<!--/Description-->
@ -831,7 +831,7 @@ To specify the TTL, click Enabled and then enter a value in seconds (for example
If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
<!--/Description-->
@ -875,7 +875,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
An unqualified single-label name contains no dots. The name "example" is a single-label name. This name is different from a fully qualified domain name such as "example.microsoft.com."
Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."
@ -883,7 +883,7 @@ To use this policy setting, click Enabled, and then enter a string value represe
If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.
If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
If you disable this policy setting, or if you don't configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
<!--/Description-->
@ -926,11 +926,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. If multiple positive responses are received, the network binding order is used to determine which response to accept.
If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
If you enable this policy setting, the DNS client won't perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
If you disable this policy setting, or if you don't configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
<!--/Description-->
@ -976,7 +976,7 @@ This policy setting specifies that the DNS client should prefer responses from l
If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
If you disable this policy setting, or if you don't configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
> [!NOTE]
> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
@ -1030,7 +1030,7 @@ To use this policy setting, click Enabled and then select one of the following v
If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
<!--/Description-->
@ -1078,7 +1078,7 @@ By default, a DNS client that is configured to perform dynamic DNS update will u
If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.
If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
<!--/Description-->
@ -1126,9 +1126,9 @@ With devolution, a DNS client creates queries by appending a single-label, unqua
The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
Devolution is not enabled if a global suffix search list is configured using Group Policy.
Devolution isn't enabled if a global suffix search list is configured using Group Policy.
If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
@ -1136,13 +1136,13 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
If you enable this policy setting, or if you don't configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
If you disable this policy setting, DNS clients don't attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
<!--/Description-->
@ -1186,11 +1186,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.
<!--/Description-->

24
windows/client-management/mdm/policy-csp-admx-dwm.md
View File

@ -76,11 +76,11 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting controls the default color for window frames when the user does not specify a color.
This policy setting controls the default color for window frames when the user doesn't specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color.
If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color.
If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color.
> [!NOTE]
> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
@ -125,11 +125,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting controls the default color for window frames when the user does not specify a color.
This policy setting controls the default color for window frames when the user doesn't specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color.
If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color.
If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color.
> [!NOTE]
> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
@ -178,9 +178,9 @@ This policy setting controls the appearance of window animations such as those f
If you enable this policy setting, window animations are turned off.
If you disable or do not configure this policy setting, window animations are turned on.
If you disable or don't configure this policy setting, window animations are turned on.
Changing this policy setting requires a logoff for it to be applied.
Changing this policy setting requires a sign out for it to be applied.
<!--/Description-->
@ -226,9 +226,9 @@ This policy setting controls the appearance of window animations such as those f
If you enable this policy setting, window animations are turned off.
If you disable or do not configure this policy setting, window animations are turned on.
If you disable or don't configure this policy setting, window animations are turned on.
Changing this policy setting requires a logoff for it to be applied.
Changing this policy setting requires out a sign for it to be applied.
<!--/Description-->
@ -274,7 +274,7 @@ This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color.
If you disable or do not configure this policy setting, you allow users to change the default window frame color.
If you disable or don't configure this policy setting, you allow users to change the default window frame color.
> [!NOTE]
> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.
@ -323,7 +323,7 @@ This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color.
If you disable or do not configure this policy setting, you allow users to change the default window frame color.
If you disable or don't configure this policy setting, you allow users to change the default window frame color.
> [!NOTE]
> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.

28
windows/client-management/mdm/policy-csp-admx-eaime.md
View File

@ -96,9 +96,9 @@ manager: dansimp
<!--Description-->
This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists.
If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists.
If you enable this policy setting, Non-Publishing Standard Glyph isn't included in the candidate list when Publishing Standard Glyph for the word exists.
If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list.
If you disable or don't configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list.
This policy setting applies to Japanese Microsoft IME only.
@ -161,7 +161,7 @@ If you enable this policy setting, then only the character code ranges specified
- 0x1000 // IVS char
- 0xFFFF // no definition.
If you disable or do not configure this policy setting, no range of characters are filtered by default.
If you disable or don't configure this policy setting, no range of characters are filtered by default.
This policy setting applies to Japanese Microsoft IME only.
@ -210,9 +210,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to turn off the ability to use a custom dictionary.
If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion.
If you enable this policy setting, you can't add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion.
If you disable or do not configure this policy setting, the custom dictionary can be used by default.
If you disable or don't configure this policy setting, the custom dictionary can be used by default.
For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary.
@ -265,7 +265,7 @@ This policy setting allows you to turn off history-based predictive input.
If you enable this policy setting, history-based predictive input is turned off.
If you disable or do not configure this policy setting, history-based predictive input is on by default.
If you disable or don't configure this policy setting, history-based predictive input is on by default.
This policy setting applies to Japanese Microsoft IME only.
@ -315,9 +315,9 @@ This policy setting allows you to turn off Internet search integration.
Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME.
If you enable this policy setting, you cannot use search integration.
If you enable this policy setting, you can't use search integration.
If you disable or do not configure this policy setting, the search integration function can be used by default.
If you disable or don't configure this policy setting, the search integration function can be used by default.
This policy setting applies to Japanese Microsoft IME.
@ -366,11 +366,11 @@ ADMX Info:
<!--Description-->
This policy setting allows you to turn off Open Extended Dictionary.
If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary.
If you enable this policy setting, Open Extended Dictionary is turned off. You can't add a new Open Extended Dictionary.
For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion.
For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting isn't used for conversion.
If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default.
If you disable or don't configure this policy setting, Open Extended Dictionary can be added and used by default.
This policy setting is applied to Japanese Microsoft IME.
@ -416,9 +416,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to turn off saving the auto-tuning result to file.
If you enable this policy setting, the auto-tuning data is not saved to file.
If you enable this policy setting, the auto-tuning data isn't saved to file.
If you disable or do not configure this policy setting, auto-tuning data is saved to file by default.
If you disable or don't configure this policy setting, auto-tuning data is saved to file by default.
This policy setting applies to Japanese Microsoft IME only.
@ -666,7 +666,7 @@ This policy setting allows you to turn on logging of misconversion for the misco
If you enable this policy setting, misconversion logging is turned on.
If you disable or do not configure this policy setting, misconversion logging is turned off.
If you disable or don't configure this policy setting, misconversion logging is turned off.
This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME.

16
windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
View File

@ -80,7 +80,7 @@ This policy setting allows you to configure a list of Enhanced Storage devices b
If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer.
If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.
If you disable or don't configure this policy setting, all Enhanced Storage devices are usable on your computer.
<!--/Description-->
@ -125,7 +125,7 @@ This policy setting allows you to create a list of IEEE 1667 silos, compliant wi
If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.
If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.
If you disable or don't configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.
<!--/Description-->
@ -168,9 +168,9 @@ ADMX Info:
<!--Description-->
This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.
If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device.
If you enable this policy setting, a password can't be used to unlock an Enhanced Storage device.
If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device.
If you disable or don't configure this policy setting, a password can be used to unlock an Enhanced Storage device.
<!--/Description-->
@ -213,9 +213,9 @@ ADMX Info:
<!--Description-->
This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.
If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer.
If you enable this policy setting, non-Enhanced Storage removable devices aren't allowed on your computer.
If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer.
If you disable or don't configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer.
<!--/Description-->
@ -262,7 +262,7 @@ This policy setting is supported in Windows Server SKUs only.
If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked.
If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked.
If you disable or don't configure this policy setting, the Enhanced Storage device state isn't changed when the computer is locked.
<!--/Description-->
@ -307,7 +307,7 @@ This policy setting configures whether or not only USB root hub connected Enhanc
If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed.
If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
If you disable or don't configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
<!--/Description-->

128
windows/client-management/mdm/policy-csp-admx-errorreporting.md
View File

@ -151,7 +151,7 @@ If you enable this policy setting, you can instruct Windows Error Reporting in t
If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications.
If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications.
If you disable or don't configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications.
This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured.
@ -198,11 +198,11 @@ ADMX Info:
<!--Description-->
This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting.
If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence.
If you disable or don't configure this policy setting, the Default application reporting settings policy setting takes precedence.
<!--/Description-->
@ -245,13 +245,13 @@ ADMX Info:
<!--Description-->
This policy setting specifies applications for which Windows Error Reporting should always report errors.
To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors.
If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.)
If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence.
If you disable this policy setting or don't configure it, the Default application reporting settings policy setting takes precedence.
Also see the "Default Application Reporting" and "Application Exclusion List" policies.
@ -299,26 +299,26 @@ ADMX Info:
<!--Description-->
This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled.
This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
This policy setting doesn't enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
> [!IMPORTANT]
> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting.
> If the Turn off Windows Error Reporting policy setting isn't configured, then Control Panel settings for Windows Error Reporting override this policy setting.
If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting:
If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that aren't configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting:
- "Do not display links to any Microsoft More information websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites.
- "Do not display links to any Microsoft More information websites": Select this option if you don't want error dialog boxes to display links to Microsoft websites.
- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports.
- "Do not collect additional files": Select this option if you don't want extra files to be collected and included in error reports.
- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports.
- "Do not collect additional computer data": Select this option if you don't want additional information about the computer to be collected and included in error reports.
- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft.
- "Force queue mode for application errors": Select this option if you don't want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to sign in to the computer can send the error reports to Microsoft.
- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft.
- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to sign in to the computer can send the error reports to Microsoft.
- "Replace instances of the word Microsoft with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text.
If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003.
If you don't configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003.
If you disable this policy setting, configuration settings in the policy setting are left blank.
@ -367,9 +367,9 @@ This policy setting controls whether errors in the operating system are included
If you enable this policy setting, Windows Error Reporting includes operating system errors.
If you disable this policy setting, operating system errors are not included in error reports.
If you disable this policy setting, operating system errors aren't included in error reports.
If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors.
If you don't configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors.
See also the Configure Error Reporting policy setting.
@ -416,7 +416,7 @@ This policy setting controls the behavior of the Windows Error Reporting archive
If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.
If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
If you disable or don't configure this policy setting, no Windows Error Reporting information is stored.
<!--/Description-->
@ -461,7 +461,7 @@ This policy setting controls the behavior of the Windows Error Reporting archive
If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.
If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
If you disable or don't configure this policy setting, no Windows Error Reporting information is stored.
<!--/Description-->
@ -502,9 +502,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps.
If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings.
@ -547,9 +547,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps.
If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings.
@ -590,11 +590,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server.
If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report.
If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report.
If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types.
If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types.
<!--/Description-->
@ -635,11 +635,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server.
If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report.
If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report.
If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types.
If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types.
<!--/Description-->
@ -682,9 +682,9 @@ ADMX Info:
<!--Description-->
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted.
If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted.
If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed.
If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed.
<!--/Description-->
@ -727,9 +727,9 @@ ADMX Info:
<!--Description-->
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted.
If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted.
If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed.
If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed.
<!--/Description-->
@ -770,11 +770,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source.
If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source.
If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source.
<!--/Description-->
@ -815,11 +815,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source.
If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source.
If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source.
<!--/Description-->
@ -860,11 +860,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft).
This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you don't want to send error reports to Microsoft).
If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organizations network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission.
If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft.
If you disable or don't configure this policy setting, Windows Error Reporting sends error reports to Microsoft.
<!--/Description-->
@ -907,19 +907,19 @@ ADMX Info:
<!--Description-->
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those types meant for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send more data requested by Microsoft.
- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send more data requested by Microsoft.
- 4 (Send all data): Any data requested by Microsoft is sent automatically.
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting.
<!--/Description-->
@ -964,7 +964,7 @@ This policy setting determines the behavior of the Configure Default Consent set
If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting.
If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
<!--/Description-->
@ -1009,7 +1009,7 @@ This policy setting determines the behavior of the Configure Default Consent set
If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting.
If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
<!--/Description-->
@ -1056,9 +1056,9 @@ If you enable this policy setting, you can set the default consent handling for
- Always ask before sending data: Windows prompts users for consent to send reports.
- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft.
- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft.
- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft.
- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft.
- Send all data: any error reporting data requested by Microsoft is sent automatically.
@ -1109,9 +1109,9 @@ If you enable this policy setting, you can set the default consent handling for
- Always ask before sending data: Windows prompts users for consent to send reports.
- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft.
- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft.
- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft.
- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft.
- Send all data: any error reporting data requested by Microsoft is sent automatically.
@ -1156,11 +1156,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel.
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
<!--/Description-->
@ -1205,7 +1205,7 @@ This policy setting limits Windows Error Reporting behavior for errors in genera
If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
<!--/Description-->
@ -1251,7 +1251,7 @@ This policy setting limits Windows Error Reporting behavior for errors in genera
If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
<!--/Description-->
@ -1294,9 +1294,9 @@ ADMX Info:
<!--Description-->
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.
If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log.
If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
<!--/Description-->
@ -1339,9 +1339,9 @@ ADMX Info:
<!--Description-->
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.
If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log.
If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
<!--/Description-->
@ -1382,11 +1382,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
This policy setting controls whether more data in support of error reports can be sent to Microsoft automatically.
If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you enable this policy setting, any extra-data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
<!--/Description-->
@ -1433,7 +1433,7 @@ If you enable this policy setting, you can configure report queue behavior by us
The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder.
If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs.
If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs.
<!--/Description-->
@ -1480,7 +1480,7 @@ If you enable this policy setting, you can configure report queue behavior by us
The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder.
If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs.
If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs.
<!--/Description-->

6
windows/client-management/mdm/policy-csp-admx-eventforwarding.md
View File

@ -67,9 +67,9 @@ manager: dansimp
<!--Description-->
This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.
If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This volume-control may be required in high-volume environments.
If you disable or do not configure this policy setting, forwarder resource usage is not specified.
If you disable or don't configure this policy setting, forwarder resource usage isn't specified.
This setting applies across all subscriptions for the forwarder (source computer).
@ -128,7 +128,7 @@ Server=https://<FQDN of the collector>:5986/wsman/SubscriptionManager/WEC,Refres
When using the HTTP protocol, use port 5985.
If you disable or do not configure this policy setting, the Event Collector computer will not be specified.
If you disable or don't configure this policy setting, the Event Collector computer won't be specified.
<!--/Description-->

68
windows/client-management/mdm/policy-csp-admx-eventlog.md
View File

@ -123,7 +123,7 @@ manager: dansimp
<!--Description-->
This policy setting turns on logging.
If you enable or do not configure this policy setting, then events can be written to this log.
If you enable or don't configure this policy setting, then events can be written to this log.
If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
@ -170,7 +170,7 @@ This policy setting controls the location of the log file. The location of the f
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
<!--/Description-->
@ -215,7 +215,7 @@ This policy setting controls the location of the log file. The location of the f
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
<!--/Description-->
@ -260,7 +260,7 @@ This policy setting controls the location of the log file. The location of the f
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
<!--/Description-->
@ -305,7 +305,7 @@ This policy setting controls the location of the log file. The location of the f
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
<!--/Description-->
@ -348,9 +348,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes), in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
<!--/Description-->
@ -393,11 +393,11 @@ ADMX Info:
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
<!--/Description-->
@ -440,11 +440,11 @@ ADMX Info:
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
<!--/Description-->
@ -487,11 +487,11 @@ ADMX Info:
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
<!--/Description-->
@ -534,11 +534,11 @@ ADMX Info:
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
<!--/Description-->
@ -583,7 +583,7 @@ This policy setting specifies the security descriptor to use for the log using t
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log.
If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log.
> [!NOTE]
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
@ -627,11 +627,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools.
If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
If you disable or do not configure this policy setting, only system software and administrators can read or clear this log.
If you disable or don't configure this policy setting, only system software and administrators can read or clear this log.
> [!NOTE]
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
@ -679,7 +679,7 @@ This policy setting specifies the security descriptor to use for the log using t
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log.
If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log.
> [!NOTE]
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
@ -723,11 +723,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools.
If you enable this policy setting, only users whose security descriptor matches the configured value can access the log.
If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it.
If you disable or don't configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it.
> [!NOTE]
> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
@ -771,13 +771,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools.
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable this policy setting, all authenticated users and system services can write, read, or clear this log.
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
<!--/Description-->
@ -818,13 +818,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log.
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log.
If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
If you disable this policy setting, only system software and administrators can read or clear this log.
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
<!--/Description-->
@ -865,13 +865,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools.
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable this policy setting, all authenticated users and system services can write, read, or clear this log.
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
<!--/Description-->
@ -918,7 +918,7 @@ If you enable this policy setting, only users whose security descriptor matches
If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it.
If you do not configure this policy setting, the previous policy setting configuration remains in effect.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
<!--/Description-->
@ -961,9 +961,9 @@ ADMX Info:
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
@ -1008,9 +1008,9 @@ ADMX Info:
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
@ -1056,9 +1056,9 @@ ADMX Info:
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.

Some files were not shown because too many files have changed in this diff Show More