deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'release-win11-22h2' into lsa_policies

Browse Source
This commit is contained in:
mapalko
2022-08-26 14:56:55 -07:00
committed by GitHub
parent c43e3f8550 47b1d44215
commit b87451247c
2535 changed files with 48133 additions and 47586 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -1,64 +1,74 @@
---
title: Administrative Tools in Windows
description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8
ms.reviewer:
manager: dansimp
ms.author: greglin
title: Windows Tools/Administrative Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.localizationpriority: medium
ms.date: 09/20/2021
ms.date: 03/28/2022
ms.topic: article
ms.collection: highpri
---
# Administrative Tools in Windows
# Windows Tools/Administrative Tools
**Applies to**
- Windows 10
- Windows 11
- Windows 11
- Windows 10
Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
![Screenshot of Control Panel.](images/admin-tools.png)
## Windows Tools folder (Windows 11)
The tools in the folder might vary depending on which edition of Windows you are using.
The following graphic shows the **Windows Tools** folder in Windows 11:
![Screenshot of folder of admin tools.](images/admin-tools-folder.png)
:::image type="content" source="media/win11-control-panel-windows-tools.png" alt-text="Screenshot of the Control Panel in Windows 11, highlighting the Administrative Tools folder." lightbox="media/win11-control-panel-windows-tools.png":::
These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
The tools in the folder might vary depending on which edition of Windows you use.
:::image type="content" source="media/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="media/win11-windows-tools.png":::
- [Component Services]( https://go.microsoft.com/fwlink/p/?LinkId=708489)
- [Computer Management](https://support.microsoft.com/kb/308423)
- [Defragment and Optimize Drives](https://go.microsoft.com/fwlink/p/?LinkId=708488)
- [Disk Cleanup](https://go.microsoft.com/fwlink/p/?LinkID=698648)
- [Event Viewer](/previous-versions/windows/it-pro/windows-2000-server/cc938674(v=technet.10))
- [iSCSI Initiator](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10))
- [Local Security Policy](/previous-versions/tn-archive/dd277395(v=technet.10))
- [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494)
- [Performance Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749115(v=ws.11))
- [Print Management](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731857(v=ws.11))
- [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive)
- [Registry Editor](/windows/win32/sysinfo/registry)
- [Resource Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883276(v=ws.10))
- [Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772408(v=ws.11))
- [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499)
- [System Information]( https://go.microsoft.com/fwlink/p/?LinkId=708500)
- [Task Scheduler](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766428(v=ws.11))
- [Windows Firewall with Advanced Security](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11))
- [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507)
## Administrative Tools folder (Windows 10)
The following graphic shows the **Administrative Tools** folder in Windows 10:
![Screenshot of the Control Panel in Windows 10, highlighting the Administrative Tools folder.](images/admin-tools.png)
The tools in the folder might vary depending on which edition of Windows you use.
![Screenshot of the contents of the Administrative Tools folder in Windows 10.](images/admin-tools-folder.png)
## Tools
The tools are located in the folder `C:\Windows\System32\` or its subfolders.
These tools were included in previous versions of Windows. The associated documentation for each tool can help you use them. The following list provides links to documentation for each tool.
- [Component Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731901(v=ws.11))
- [Computer Management](https://support.microsoft.com/topic/how-to-use-computer-management-in-windows-xp-d5872f93-4498-f4dd-3a34-36d6f569924f)
- [Defragment and Optimize Drives](https://support.microsoft.com/windows/ways-to-improve-your-computer-s-performance-c6018c78-0edd-a71a-7040-02267d68ea90)
- [Disk Cleanup](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68)
- [Event Viewer](/previous-versions/windows/it-pro/windows-2000-server/cc938674(v=technet.10))
- [iSCSI Initiator](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10))
- [Local Security Policy](/previous-versions/tn-archive/dd277395(v=technet.10))
- [ODBC Data Sources](/sql/odbc/admin/odbc-data-source-administrator)
- [Performance Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749115(v=ws.11))
- [Print Management](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731857(v=ws.11))
- [Recovery Drive](https://support.microsoft.com/windows/create-a-recovery-drive-abb4691b-5324-6d4a-8766-73fab304c246)
- [Registry Editor](/windows/win32/sysinfo/registry)
- [Resource Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883276(v=ws.10))
- [Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772408(v=ws.11))
- [System Configuration](/troubleshoot/windows-client/performance/system-configuration-utility-troubleshoot-configuration-errors)
- [System Information](/previous-versions/windows/it-pro/windows-2000-server/cc957818(v=technet.10))
- [Task Scheduler](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766428(v=ws.11))
- [Windows Firewall with Advanced Security](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11))
- [Windows Memory Diagnostic](/previous-versions/technet-magazine/cc745953(v=msdn.10))
> [!TIP]
> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content. 
> If the linked content in this list doesn't provide the information you need to use that tool, send feedback with the **This page** link in the **Feedback** section at the bottom of this article.
## Related topics
[Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview)
[Diagnostic data viewer](/windows/privacy/diagnostic-data-viewer-overview)

23
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -1,15 +1,12 @@
---
title: Advanced Troubleshooting 802.1X Authentication
ms.reviewer:
manager: dansimp
description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: greg-lindsay
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.localizationpriority: medium
ms.author: tracyp
ms.topic: troubleshooting
ms.collection: highpri
---
@ -18,11 +15,11 @@ ms.collection: highpri
## Overview
This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves many third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
## Scenarios
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication are attempted and then fail to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
## Known issues
@ -38,9 +35,9 @@ Viewing [NPS authentication status events](/previous-versions/windows/it-pro/win
NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
Check the Windows Security event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
Check the Windows Security event log on the NPS Server for NPS events that correspond to the rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or the accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
In the event message, scroll to the bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
![example of an audit failure.](images/auditfailure.png)
*Example: event ID 6273 (Audit Failure)*<br><br>
@ -48,7 +45,7 @@ In the event message, scroll to the very bottom, and then check the [Reason Code
![example of an audit success.](images/auditsuccess.png)
*Example: event ID 6272 (Audit Success)*<br>
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, if connectivity problems occur, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example:
@ -114,7 +111,7 @@ auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enab
Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**.
## Additional references
## More references
[Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))<br>
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10))
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10))

269
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -2,27 +2,28 @@
title: Advanced troubleshooting for Windows boot problems
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: greg-lindsay
ms.technology: windows
ms.localizationpriority: medium
ms.author: greglin
ms.date: 11/16/2018
ms.date: 06/02/2022
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
manager: dougeby
ms.topic: troubleshooting
ms.collection: highpri
---
# Advanced troubleshooting for Windows boot problems
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues.</span>
> [!NOTE]
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5).
## Summary
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
@ -30,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
**1. PreBoot**
1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
**2. Windows Boot Manager**
3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
**3. Windows operating system loader**
Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
**4. Windows NT OS Kernel**
The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START.
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START.
Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)<br>
[Click to enlarge](img-boot-sequence.md)<br>
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
<a name="boot-sequence"></a>
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger.
:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png":::
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
@ -67,43 +58,41 @@ Each phase has a different approach to troubleshooting. This article provides tr
>
> `Bcdedit /set {default} bootmenupolicy legacy`
## BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
1. If there are any external peripherals connected to the computer, disconnect them.
2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase.
2. Check whether the hard disk drive light on the physical computer is working. If it's not working, this dysfunction indicates that the startup process is stuck at the BIOS phase.
3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS.
3. Press the NumLock key to see whether the indicator light toggles on and off. If it doesn't toggle, this dysfunction indicates that the startup process is stuck at BIOS.
If the system is stuck at the BIOS phase, there may be a hardware problem.
## Boot loader phase
If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase:
If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase:
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods.
### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
To do this, follow these steps.
To do this task of invoking the Startup Repair tool, follow these steps.
> [!NOTE]
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
@ -115,44 +104,42 @@ To do this, follow these steps.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
**%windir%\System32\LogFiles\Srt\Srttrail.txt**
For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
`%windir%\System32\LogFiles\Srt\Srttrail.txt`
For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```console
```command
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```console
```command
BOOTREC /FIXBOOT
```
> [!NOTE]
> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem.
### Method 3: Fix BCD errors
If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this, run the following command:
1. Scan for all the systems that are installed. To do this step, run the following command:
```console
```command
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem is not fixed, run the following commands:
```console
3. If the problem isn't fixed, run the following commands:
```command
bcdedit /export c:\bcdbackup
attrib c:\boot\bcd -r -s -h
@ -166,132 +153,120 @@ If you receive BCD-related errors, follow these steps:
### Method 4: Replace Bootmgr
If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps:
If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this replacement, follow these steps:
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
2. Run the `attrib` command to unhide the file:
```console
```command
attrib -r -s -h
```
3. Navigate to the system drive and run the same command:
```console
```command
attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
4. Rename the `bootmgr` file as `bootmgr.old`:
```console
```command
ren c:\bootmgr bootmgr.old
```
5. Navigate to the system drive.
6. Copy the Bootmgr file, and then paste it to the System Reserved partition.
6. Copy the `bootmgr` file, and then paste it to the System Reserved partition.
7. Restart the computer.
### Method 5: Restore System Hive
### Method 5: Restore system hive
If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples:
- A Stop error appears after the splash screen (Windows Logo screen).
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- A black screen appears after the splash screen.
- A black screen appears after the splash screen.
To troubleshoot these problems, try the following recovery boot options one at a time.
**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
1. Use one of the following methods to open Event Viewer:
1. Use one of the following methods to open Event Viewer:
- Click **Start**, point to **Administrative Tools**, and then click
**Event Viewer**.
- Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**.
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
2. In the console tree, expand Event Viewer, and then click the log that you
want to view. For example, click **System log** or **Application log**.
2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**.
3. In the details pane, double-click the event that you want to view.
3. In the details pane, open the event that you want to view.
4. On the **Edit** menu, click **Copy**, open a new document in the program in
which you want to paste the event (for example, Microsoft Word), and then
click **Paste**.
5. Use the Up Arrow or Down Arrow key to view the description of the previous
or next event.
4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**.
5. Use the up arrow or down arrow key to view the description of the previous or next event.
### Clean boot
To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party.
To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
**Examples**
#### Examples
> [!WARNING]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk.
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
To troubleshoot this Stop error, follow these steps to filter the drivers:
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
2. Open the registry.
2. Open the registry.
3. Load the system hive, and name it as "test."
3. Load the system hive, and name it **test**.
4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers:
6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class`
7. Restart the server in Normal mode.
5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data.
For additional troubleshooting steps, see the following articles:
6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
7. Restart the server in Normal mode.
For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@ -299,89 +274,83 @@ To fix problems that occur after you install Windows updates, check for pending
2. Run the command:
```console
```command
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```console
```command
DISM /image:C:\ /remove-package /packagename: name of the package
```
```console
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
Try to start the computer.
If the computer does not start, follow these steps:
If the computer doesn't start, follow these steps:
1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
1. Open a command prompt window in WinRE, and start a text editor, such as Notepad.
2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`.
3. If the Pending.xml file is found, rename the file as Pending.xml.old.
3. If the pending.xml file is found, rename the file as `pending.xml.old`.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test.
5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value.
6. If the **pendingxmlidentifier** value exists, delete the value.
6. If the `pendingxmlidentifier` value exists, delete it.
7. Unload the test hive.
7. Unload the test hive.
8. Load the system hive, name it as "test".
8. Load the system hive, name it **test**.
9. Navigate to the following subkey:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
10. Change the **Start** value from **1** to **4**
9. Navigate to the following subkey:
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller`
10. Change the **Start** value from `1` to `4`.
11. Unload the hive.
12. Try to start the computer.
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md).
- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md).
For more information about page file problems in Windows 10 or Windows Server 2016, see the following:
- [Introduction to page files](./introduction-page-file.md)
For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md).
For more information about Stop errors, see the following Knowledge Base article:
- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines:
- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver is not important and has no dependencies, load the system hive, and then disable the driver.
- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
- To do this action, open WinRE, open a command prompt, and then run the following command:
```console
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
```command
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues).
- If there is disk corruption, run the check disk command:
- If there's disk corruption, run the check disk command:
```console
chkdsk /f /r
```
```command
chkdsk /f /r
```
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
1. Start WinRE, and open a Command Prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
1. Start WinRE, and open a command prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to `C:\Windows\System32\Config\`.
4. Rename the all five hives by appending `.old` to the name.
5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

45
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -1,15 +1,12 @@
---
title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dansimp
manager: dougeby
description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: greg-lindsay
author: aczechowski
ms.localizationpriority: medium
ms.author: greglin
ms.author: aaroncz
ms.topic: troubleshooting
---
@ -20,7 +17,7 @@ ms.topic: troubleshooting
## Overview
This is a general troubleshooting of establishing Wi-Fi connections from Windows clients.
This overview describes the general troubleshooting of establishing Wi-Fi connections from Windows clients.
Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found.
This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario.
@ -29,11 +26,11 @@ This workflow involves knowledge and use of [TextAnalysisTool](https://github.co
This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
> [!NOTE]
> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It's not meant to be representative of every wireless problem scenario.
Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
Wireless ETW is incredibly verbose and calls out many innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
It's important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem.
### Known Issues and fixes
@ -57,14 +54,14 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
## Data Collection
1. Network Capture with ETW. Enter the following at an elevated command prompt:
1. Network Capture with ETW. Enter the following command at an elevated command prompt:
```console
netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
```
2. Reproduce the issue.
- If there is a failure to establish connection, try to manually connect.
- If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure.
- If there's a failure to establish connection, try to manually connect.
- If it's intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure.
- If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesnt overwrite the repro data.
- If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
3. Stop the trace by entering the following command:
@ -78,11 +75,11 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
netsh trace convert c:\tmp\wireless.etl
```
See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt.
See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you'll have three files: wireless.cab, wireless.etl, and wireless.txt.
## Troubleshooting
The following is a high-level view of the main wifi components in Windows.
The following view is a high-level one of the main wifi components in Windows.
|Wi-fi Components|Description|
|--- |--- |
@ -116,7 +113,7 @@ Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnaly
Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page.
The following is an example of a good connection setup:
An example of a good connection setup is:
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
@ -127,7 +124,7 @@ The following is an example of a good connection setup:
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
```
The following is an example of a failed connection setup:
An example of a failed connection setup is:
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
@ -138,9 +135,9 @@ The following is an example of a failed connection setup:
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
```
By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state.
By identifying the state at which the connection fails, one can focus more specifically in the trace on logs prior to the last known good state.
Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
In many cases the next component of interest will be the MSM, which lies just below Wlansvc.
The important components of the MSM include:
@ -149,10 +146,10 @@ The important components of the MSM include:
![MSM details.](images/msmdetails.png)
Each of these components has their own individual state machines which follow specific transitions.
Each of these components has its own individual state machines that follow specific transitions.
Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
Continuing with the example above, the combined filters look like this:
Further to the preceding example, the combined filters look like the following command example:
```console
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
@ -177,7 +174,7 @@ Authenticating to State: Roaming
> [!NOTE]
> In the next to last line the SecMgr transition is suddenly deactivating:<br>
>\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)<br><br>
>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing prior to this SecMgr behavior to determine the reason for the deactivation.
Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
@ -203,7 +200,7 @@ The trail backwards reveals a **Port Down** notification:
Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
Below, the MSM is the native wifi stack. These drivers are Windows native wifi drivers that talk to the wifi miniport drivers. It's responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
Enable trace filter for **[Microsoft-Windows-NWifi]:**
@ -230,7 +227,7 @@ In the trace above, we see the line:
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
```
This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP.
This line is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This denail could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This action would be done by examining internal logging/tracing from the AP.
### Resources

12
windows/client-management/change-default-removal-policy-external-storage-media.md
View File

@ -1,15 +1,15 @@
---
title: Windows 10 default media removal policy
description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal.
ms.prod: w10
author: Teresa-Motiv
ms.author: dougeby
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/25/2020
ms.topic: article
ms.custom:
- CI 111493
- CI 125140
- CSSTroubleshooting
- CI 111493
- CI 125140
- CSSTroubleshooting
audience: ITPro
ms.localizationpriority: medium
manager: kaushika

29
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -1,17 +1,13 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
keywords: ["MDM", "device management", "RDP", "AADJ"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: dansimp
ms.author: vinpa
ms.date: 01/18/2022
ms.reviewer:
manager: dansimp
manager: aaroncz
ms.topic: article
ms.collection: highpri
---
@ -31,11 +27,11 @@ From its release, Windows 10 has supported remote connections to PCs joined to A
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop.
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported.
- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC.
- On the PC you want to connect to:
@ -45,7 +41,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
![Allow remote connections to this computer.](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
- Adding users manually
@ -55,18 +51,18 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
```
where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example:
In order to execute this PowerShell command, you must be a member of the local Administrators group. Otherwise, you'll get an error like this example:
- for cloud only user: "There is no such global user or group : *name*"
- for synced user: "There is no such global user or group : *name*" </br>
> [!NOTE]
> For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
>
> Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
> Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
- Adding users using policy
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
@ -87,6 +83,9 @@ The table below lists the supported configurations for remotely connecting to an
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
> [!NOTE]
> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). In this scenario, Network Level Authentication should be disabled to run the connection.
## Related topics
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)

15
windows/client-management/data-collection-for-802-authentication.md
View File

@ -3,10 +3,7 @@ title: Data collection for troubleshooting 802.1X authentication
ms.reviewer:
manager: dansimp
description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues.
keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
@ -42,7 +39,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
```
3. Run the following command to enable CAPI2 logging and increase the size :
3. Run the following command to enable CAPI2 logging and increase the size:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
@ -70,7 +67,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
```
6. Run the following command to enable CAPI2 logging and increase the size :
6. Run the following command to enable CAPI2 logging and increase the size:
```
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
@ -241,7 +238,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- Run the following 3 commands on Windows Server 2012 and later:
- Run the following commands on Windows Server 2012 and later:
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
@ -320,7 +317,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
```
- Run the following 3 lines on Windows 2012 and up
- Run the following lines on Windows 2012 and up
```
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
@ -371,9 +368,9 @@ Use the following steps to collect wireless and wired logs on Windows and Window
reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.txt
```
3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
4. Log on to a domain controller and create C:\MSLOG to store captured logs.
4. Sign in to a domain controller and create C:\MSLOG to store captured logs.
5. Launch Windows PowerShell as an administrator.
6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for "; test.local"; domain.
```powershell
Import-Module ActiveDirectory

35
windows/client-management/determine-appropriate-page-file-size.md
View File

@ -2,7 +2,6 @@
title: How to determine the appropriate page file size for 64-bit versions of Windows
description: Learn how to determine the appropriate page file size for 64-bit versions of Windows.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
@ -15,7 +14,7 @@ ms.collection: highpri
# How to determine the appropriate page file size for 64-bit versions of Windows
Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This means that page file sizing is also unique to each system and cannot be generalized.
Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This uniqueness means that page file sizing is also unique to each system and can't be generalized.
## Determine the appropriate page file size
@ -23,17 +22,17 @@ Use the following considerations for page file sizing for all versions of Window
### Crash dump setting
If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file is not created.
If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file isn't created.
For more information, see [Support for system crash dumps](introduction-page-file.md#support-for-system-crash-dumps) section.
### Peak system commit charge
The system commit charge cannot exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary.
The system commit charge can't exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary.
### Quantity of infrequently accessed pages
The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, be aware that not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true:
The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This removal provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true:
- More available physical memory (\Memory\Available MBytes) is required.
@ -43,7 +42,7 @@ The purpose of a page file is to *back* (support) infrequently accessed modified
## Support for system crash dumps
A system crash (also known as a “bug check” or a "Stop error") occurs when the system cannot run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system cannot create the crash dump file.
A system crash (also known as a “bug check” or a "Stop error") occurs when the system can't run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system can't create the crash dump file.
>[!Note]
>During startup, system-managed page files are sized respective to the system crash dump settings. This assumes that enough free disk space exists.
@ -57,29 +56,29 @@ A system crash (also known as a “bug check” or a "Stop error") occurs when t
\* 1 MB of header data and device drivers can total 256 MB of secondary crash dump data.
The **Automatic memory dump** setting is enabled by default. This is a setting instead of a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes.
The **Automatic memory dump** setting is enabled by default. This setting is an alternative to a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes.
The Automatic memory dump feature initially selects a small paging file size. It would accommodate the kernel memory most of the time. If the system crashes again within four weeks, the Automatic memory dump feature sets the page file size as either the RAM size or 32 GB, whichever is smaller.
Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge.
Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This dump requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge.
### Dedicated dump files
Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators now have the option to create a dedicated dump file instead.
Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators can now create a dedicated dump file instead.
A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options).
A dedicated dump file is a page file that isn't used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you don't want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options).
## System-managed page files
By default, page files are system-managed. This means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump.
By default, page files are system-managed. This system management means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump.
For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. This all assumes that the logical disk that is hosting the page file is large enough to accommodate the growth.
For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This surge continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. Therefore, it's assumes that the logical disk that is hosting the page file is large enough to accommodate the growth.
The following table lists the minimum and maximum page file sizes of system-managed page files in Windows 10 and Windows 11.
|Minimum page file size |Maximum page file size|
|---------------|------------------|
|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings. |3 × RAM or 4 GB, whichever is larger. This is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if required for crash dump settings.|
|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings. |3 × RAM or 4 GB, whichever is larger. This size is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if necessary for crash dump settings.|
## Performance counters
@ -87,7 +86,7 @@ Several performance counters are related to page files. This section describes t
### \Memory\Page/sec and other hard page fault counters
The following performance counters measure hard page faults (which include, but are not limited to, page file reads):
The following performance counters measure hard page faults (which include, but aren't limited to, page file reads):
- \Memory\Page/sec
@ -103,7 +102,7 @@ The following performance counters measure page file writes:
Hard page faults are faults that must be resolved by retrieving the data from disk. Such data can include portions of DLLs, .exe files, memory-mapped files, and page files. These faults might or might not be related to a page file or to a low-memory condition. Hard page faults are a standard function of the operating system. They occur when the following items are read:
- Parts of image files (.dll and .exe files) as they are used
- Parts of image files (.dll and .exe files) as they're used
- Memory-mapped files
@ -111,11 +110,11 @@ Hard page faults are faults that must be resolved by retrieving the data from di
High values for these counters (excessive paging) indicate disk access of generally 4 KB per page fault on x86 and x64 versions of Windows and Windows Server. This disk access might or might not be related to page file activity but may contribute to poor disk performance that can cause system-wide delays if the related disks are overwhelmed.
Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. Be aware that a system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200 RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for.
Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. A system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200-RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for.
### \Paging File(*)\% Usage
The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file does not indicate a performance problem as long as the system commit limit is not reached by the system commit charge, and if a significant amount of memory is not waiting to be written to a page file.
The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file doesn't indicate a performance problem as long as the system commit limit isn't reached by the system commit charge, and if a significant amount of memory isn't waiting to be written to a page file.
>[!Note]
>The size of the Modified Page List (\Memory\Modified Page List Bytes) is the total of modified data that is waiting to be written to disk.
@ -127,4 +126,4 @@ If the Modified Page List (a list of physical memory pages that are the least fr
## Multiple page files and disk considerations
If a system is configured to have more than one page files, the page file that responds first is the one that is used. This means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Be aware that actual page file usage depends greatly on the amount of modified memory that the system is managing. This means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) are not written to a page file. Only modified data that does not already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it is backed by the disk and not by a page file.
If a system is configured to have more than one page files, the page file that responds first is the one that is used. This customized configuration means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Actual page file usage depends greatly on the amount of modified memory that the system is managing. This dependency means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) aren't written to a page file. Only modified data that doesn't already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it's backed by the disk and not by a page file.

5
windows/client-management/docfx.json
View File

@ -21,6 +21,7 @@
"files": [
"**/*.png",
"**/*.jpg",
"**/*.svg",
"**/*.gif"
],
"exclude": [
@ -33,7 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
"audience": "ITPro",
@ -41,7 +42,7 @@
"manager": "dansimp",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-client-management",

13
windows/client-management/generate-kernel-or-complete-crash-dump.md
View File

@ -2,7 +2,6 @@
title: Generate a kernel or complete crash dump
description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
@ -46,7 +45,7 @@ To enable memory dump setting, follow these steps:
When the computer crashes and restarts, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.
Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This can cause a prolonged server outage.
Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best-case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This read-and-write process can cause a prolonged server outage.
>[!Note]
>Use this method to generate complete memory dump files with caution. Ideally, you should do this only when you are explicitly requested to by the Microsoft Support engineer. Any kernel or complete memory dump file debugging should be the last resort after all standard troubleshooting methods have been completely exhausted.
@ -55,7 +54,7 @@ Depending on the speed of the hard disk on which Windows is installed, dumping m
### Use the NotMyFault tool
If you can log on while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool. To do this, follow these steps:
If you can sign in while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool by following these steps:
1. Download the [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip) tool.
@ -71,17 +70,17 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi
### Use NMI
On some computers, you cannot use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard is not attached to the HP BladeSystem server.
On some computers, you can't use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard isn't attached to the HP BladeSystem server.
In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor.
To do this, follow these steps:
To implement this process, follow these steps:
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
> [!NOTE]
> This registry key is not required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect.
> This registry key isn't required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect.
1. In Registry Editor, locate the following registry subkey:
@ -104,7 +103,7 @@ To do this, follow these steps:
>[!Note]
>For the exact steps, see the BIOS reference manual or contact your hardware vendor.
9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction.
9. Test this method on the server by using the NMI switch to generate a dump file. You'll see a STOP 0x00000080 hardware malfunction.
If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq).

8
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -2,14 +2,12 @@
title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: troubleshooting
---

17
windows/client-management/img-boot-sequence.md
View File

@ -1,17 +0,0 @@
---
title: Boot sequence flowchart
description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
ms.author: dansimp
author: dansimp
ms.topic: article
ms.prod: w10
---
# Boot sequence flowchart
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
![Full-sized boot sequence flowchart.](images/boot-sequence.png)

3
windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md
View File

@ -3,10 +3,9 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account.
Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account.

1
windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-adobe-flash-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-cortana-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-developer-tools-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data.

22
windows/client-management/includes/allow-extensions-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions.

22
windows/client-management/includes/allow-fullscreen-mode-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge.

22
windows/client-management/includes/allow-inprivate-browsing-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing.

22
windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat.

22
windows/client-management/includes/allow-prelaunch-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching.

22
windows/client-management/includes/allow-printing-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content.

22
windows/client-management/includes/allow-saving-history-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices.

26
windows/client-management/includes/allow-search-engine-customization-shortdesc.md
View File

@ -1,11 +1,15 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can execute the following tasks in Settings:
- Add new search engines
- Change the default search engine
With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser.

22
windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).

22
windows/client-management/includes/allow-tab-preloading-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign-in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.

22
windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 11/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 11/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it.

22
windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder.

22
windows/client-management/includes/always-show-books-library-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the devices country or region.

28
windows/client-management/includes/configure-additional-search-engines-shortdesc.md
View File

@ -1,11 +1,17 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
The Set default search engine policy enables the users to:
- Set a default search engine
- Configure up to five more search engines, and set any one of them as the default
If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines

22
windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically.

22
windows/client-management/includes/configure-autofill-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill.

22
windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.

22
windows/client-management/includes/configure-cookies-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies.

22
windows/client-management/includes/configure-do-not-track-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge doesn't send Do Not Track requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.

22
windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.

22
windows/client-management/includes/configure-favorites-bar-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages.

22
windows/client-management/includes/configure-favorites-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead.

22
windows/client-management/includes/configure-home-button-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.

32
windows/client-management/includes/configure-kiosk-mode-shortdesc.md
View File

@ -1,11 +1,21 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
You can define a behavior for the Microsoft Edge browser, which it shall display when part of many applications running on a kiosk device.
> [!NOTE]
> You can define the browser's behavior only if you have the assigned access privileges.
You can also define a behavior when Microsoft Edge serves as a single application.
You can facilitate the following functionalities in the Microsoft Edge browser:
- Execution of InPrivate full screen
- Execution of InPrivate multi-tab with a tailored experience for kiosks
- Provision for normal browsing

22
windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current users browsing data.

22
windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allows users to make changes. With this policy, you can configure Microsoft Edge to load the Start page, New Tab page, or the previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, dont configure the Disable Lockdown of Start Pages policy.

22
windows/client-management/includes/configure-password-manager-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Dont configure this policy if you want to let users choose to save and manage passwords locally using Password Manager.

24
windows/client-management/includes/configure-pop-up-blocker-shortdesc.md
View File

@ -1,12 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, dont configure this policy.
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, dont configure this policy.

22
windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions.

22
windows/client-management/includes/configure-start-pages-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users can't make changes.

22
windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users can't disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Dont configure this policy to let users choose to turn Windows defender SmartScreen on or off.

22
windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies can't be changed, and they remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start pages or any Start page configured with the Configure Start pages policy.

22
windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, the “browser” group syncs automatically between users devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option.

22
windows/client-management/includes/do-not-sync-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of users settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option.

22
windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge does not sync the users favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites.

1
windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 04/23/2020
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can access the about:flags page in Microsoft Edge that is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page.

22
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s).

22
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site.

22
windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.

22
windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.

22
windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience.

22
windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch.

22
windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
The Microsoft Edge browser allows users to uninstall extensions, by default. When the users work with extensions that come under a policy that is enabled, they can configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any extra permissions requested by future updates of the extension get granted automatically. If - at this stage - you disable the policy, the list of extension package family names (PFNs) defined in this policy get ignored.

22
windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, the “browser” group syncs automatically between the users devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.

22
windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge shows localhost IP address while making calls through usage of the WebRTC protocol. Enabling this policy hides the localhost IP addresses.

31
windows/client-management/includes/provision-favorites-shortdesc.md
View File

@ -1,11 +1,20 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
You can customize the Favorites list in the Microsoft Edge browser. Customization of the favorites list includes:
- Creating a standard list
- This standard list includes:
- Folders (which you can add)
- the list of favorites that you manually add, after creating the standard list
This customized favorite is the final version.

22
windows/client-management/includes/search-provider-discovery-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar.

22
windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically.

22
windows/client-management/includes/set-default-search-engine-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes.

22
windows/client-management/includes/set-home-button-url-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button.

22
windows/client-management/includes/set-new-tab-url-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.

21
windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md
View File

@ -1,10 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.

22
windows/client-management/includes/unlock-home-button-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies.

13
windows/client-management/index.yml
View File

@ -13,11 +13,12 @@ metadata:
ms.collection:
- windows-10
- highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.date: 03/28/2022 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
@ -28,12 +29,12 @@ landingContent:
linkLists:
- linkListType: overview
links:
- text: Administrative Tools in Windows 10
- text: Windows Tools/Administrative Tools
url: administrative-tools-in-windows-10.md
- text: Create mandatory user profiles
url: mandatory-user-profile.md
- text: Mobile device management (MDM)
url: mdm/index.md
url: mdm/index.yml
- text: MDM for device updates
url: mdm/device-update-management.md
- text: Mobile device enrollment

3
windows/client-management/introduction-page-file.md
View File

@ -2,7 +2,6 @@
title: Introduction to the page file
description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
@ -35,7 +34,7 @@ For example, the following Windows servers require page files:
- Certificate servers
- ADAM/LDS servers
This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory.
This requirement is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to ensure that the database cache can release memory if other services or applications request memory.
For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed".

28
windows/client-management/manage-corporate-devices.md
View File

@ -1,16 +1,12 @@
---
title: Manage corporate devices
description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
ms.reviewer:
manager: dansimp
ms.author: dansimp
keywords: ["MDM", "device management"]
manager: aaroncz
ms.author: vinpa
keywords: [MDM, device management]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/14/2021
ms.topic: article
@ -47,21 +43,7 @@ You can use the same management tools to manage all device types running Windows
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Azure AD Join on Windows 10 (and Windows 11) devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
[Azure AD support for Windows 10 (and Windows 11)](https://go.microsoft.com/fwlink/p/?LinkID=615765)
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
[How to manage Windows 10 (and Windows 11) devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620)
[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207)
Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/)
Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/)
 

166
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -2,13 +2,11 @@
title: Manage Device Installation with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage Device Installation Restrictions with Group Policy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: barakm
author: vinaypamnani-msft
ms.date: 09/14/2021
ms.reviewer:
manager: barakm
ms.author: barakm
manager: aaroncz
ms.author: vinpa
ms.topic: article
---
@ -17,7 +15,7 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 11
- Windows 11
- Windows Server 2022
@ -27,19 +25,19 @@ By using Windows operating systems, administrators can determine what devices ca
## Introduction
### General
This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
- Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.
- Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
- Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it.
This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices.
The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide will not exactly match the user interface that appears on the computer.
The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide won't exactly match the user interface that appears on the computer.
It is important to understand that the Group Policies that are presented in this guide are only apply to machines/machine-groups, not to users/user-groups.
It's important to understand that the Group Policies that are presented in this guide are only applied to machines/machine-groups, not to users/user-groups.
> [!IMPORTANT]
> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide is not meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide isn't meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
### Who Should Use This Guide?
@ -56,7 +54,7 @@ Restricting the devices that users can install reduces the risk of data theft an
#### Reduce the risk of data theft
It is more difficult for users to make unauthorized copies of company data if users' computers cannot install unapproved devices that support removable media. For example, if users cannot install a USB thumb-drive device, they cannot download copies of company data onto a removable storage. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data.
It's more difficult for users to make unauthorized copies of company data if users' computers can't install unapproved devices that support removable media. For example, if users can't install a USB thumb-drive device, they can't download copies of company data onto a removable storage. This benefit can't eliminate data theft, but it creates another barrier to unauthorized removal of data.
#### Reduce support costs
@ -82,7 +80,7 @@ In this scenario, the administrator allows standard users to install all printer
### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
In this scenario, you will combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This is a more realistic scenario and brings you a step farther in understanding of the Device Installation Restrictions policies.
In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies.
### Scenario #4: Prevent installation of a specific USB device
@ -90,7 +88,7 @@ This scenario, although similar to scenario #2, brings another layer of complexi
### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
In this scenario, combining all previous 4 scenarios, you will learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the prevent functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first 4 scenarios and therefore it is preferred to go over them first before attempting this scenario.
In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the prevent functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
## Technology Review
@ -99,9 +97,9 @@ The following sections provide a brief overview of the core technologies discuss
### Device Installation in Windows
A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it is a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages.
When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages.
Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows to specify which of these identifiers to allow or block.
@ -122,24 +120,24 @@ Windows can use each string to match a device to a driver package. The strings r
##### Hardware IDs
Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision is not available.
Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision isn't available.
##### Compatible IDs
Windows uses these identifiers to select a driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library.
> [!NOTE]
> For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
Some physical devices create one or more logical devices when they are installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you did not allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
#### Device setup classes
Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices are belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached.
Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached.
When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device's device setup classes, or you might not achieve the results you want. The installation might fail (if you want it to succeed) or it might succeed (if you want it to fail).
@ -147,36 +145,36 @@ For example, a multi-function device, such as an all-in-one scanner/fax/printer,
For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs.
This guide does not depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
The following two links provide the complete list of Device Setup Classes. System Use classes are mostly refer to devices that come with a computer/machine from the factory, while Vendor classes are mostly refer to devices that could be connected to an existing computer/machine:
The following two links provide the complete list of Device Setup Classes. System Use classes are mostly referred to devices that come with a computer/machine from the factory, while Vendor classes are mostly referred to devices that could be connected to an existing computer/machine:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
#### Removable Device Device type
Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it is connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
### Group Policy Settings for Device Installation
Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
Device Installation section in Group Policy is a set of policies that control which device could or could not be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more details, see Group Policy Object Editor Technical Reference.
Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference.
The following passages are brief descriptions of the Device Installation policies that are used in this guide.
> [!NOTE]
> Device Installation control is applied only to machines (computer configuration) and not users (user configuration) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You cannot apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
> Device Installation control is applied only to machines (computer configuration) and not users (user configuration) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
#### Allow administrators to override Device Installation Restriction policies
This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or do not configure this policy setting, administrators are subject to all policy settings that restrict device installation.
This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or don't configure this policy setting, administrators are subject to all policy settings that restrict device installation.
#### Allow installation of devices that match any of these device IDs
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
#### Allow installation of devices that match any of these device instance IDs
@ -184,20 +182,20 @@ This policy setting allows you to specify a list of Plug and Play device instanc
#### Allow installation of devices using drivers that match these device setup classes
This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
#### Prevent installation of devices that match these device IDs
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or do not configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users can't install. If you enable this policy setting, users can't install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or don't configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device.
#### Prevent installation of devices that match any of these device instance IDs
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
#### Prevent installation of devices using drivers that match these device setup classes
This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update devices that belong to any of the listed device setup classes. If you disable or do not configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users can't install. If you enable this policy setting, users can't install or update devices that belong to any of the listed device setup classes. If you disable or don't configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device.
### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
@ -209,7 +207,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
>
> If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
@ -222,11 +220,11 @@ Some of these policies take precedence over other policies. The flowchart shown
### General
To complete each of the scenarios, please ensure your have:
To complete each of the scenarios, ensure your have:
- A client computer running Windows.
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB/network printer pre-installed on the machine.
@ -234,18 +232,18 @@ To complete each of the scenarios, please ensure your have:
### Understanding implications of applying Prevent policies retroactive
All Prevent policies have an option to apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator is not sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
All Prevent policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones.
This is a powerful tool, but as such it has to be used carefully.
This option is a powerful tool, but as such it has to be used carefully.
> [!IMPORTANT]
> Applying the Prevent retroactive option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all Disk Drives could block the access to the disk on which the OS boots with; Preventing retroactive all Net could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
## Determine device identification strings
By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device do not match those shown in this guide, use the IDs that are appropriate to your device (this applies to Instance IDs and Classes, but we are not going to give an example for them in this guide).
By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device don't match those IDs shown in this guide, use the IDs that are appropriate to your device (this policy applies to Instance IDs and Classes, but we aren't going to give an example for them in this guide).
You can determine the hardware IDs and compatible IDs for your device in two ways. You can use Device Manager, a graphical tool included with the operating system, or PnPUtil, a command-line tool available for all Windows versions. Use the following procedure to view the device identification strings for your device.
@ -268,7 +266,7 @@ To find device identification strings using Device Manager
![Details tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the Details tab to look for the device identifiers_
6. From the Value window, copy the most detailed Hardware ID we will use this in the policies.
6. From the Value window, copy the most detailed Hardware ID we'll use this value in the policies.
![HWID.](images/device-installation-dm-printer-hardware-ids.png)
@ -283,7 +281,7 @@ To find device identification strings using Device Manager
pnputil /enum-devices /ids
```
Here is an example of an output for a single device on a machine:
Here's an example of an output for a single device on a machine:
```console
<snip>
@ -310,7 +308,7 @@ Compatible IDs: PCI\VEN_8086&DEV_2F34&REV_02
## Scenario #1: Prevent installation of all printers
In this simple scenario, you will learn how to prevent the installation of an entire Class of devices.
In this simple scenario, you'll learn how to prevent the installation of an entire Class of devices.
### Setting up the environment
@ -335,7 +333,7 @@ Getting the right device identifier to prevent it from being installed:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
3. Our current scenario is focused on preventing all printers from being installed, as such here is the Class GUID for most of printers in the market:
3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
> Printers\
> Class = Printer\
@ -343,7 +341,7 @@ Getting the right device identifier to prevent it from being installed:
> This class includes printers.
> [!NOTE]
> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they're not blocking any other existing device that is crucial to your system.
Creating the policy to prevent all printers from being installed:
@ -357,15 +355,15 @@ Creating the policy to prevent all printers from being installed:
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
5. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the class identifier to block.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK.
8. Click Apply on the bottom right of the policys window this pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
9. Optional if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed
@ -374,13 +372,13 @@ Creating the policy to prevent all printers from being installed:
### Testing the scenario
1. If you have not completed step #9 follow these steps:
1. If you haven't completed step #9 follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
1. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
1. You should not be able to reinstall the printer.
1. You shouldn't be able to reinstall the printer.
2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
## Scenario #2: Prevent installation of a specific printer
@ -392,13 +390,13 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Make sure all previous Device Installation policies are disabled except Apply layered order of evaluation (this is optional to be On/Off this scenario). Although the policy is disabled in default, it is recommended to be enabled in most practical applications. For scenario #2 it is optional.
2. Ensure all previous Device Installation policies are disabled except Apply layered order of evaluation (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
### Scenario steps preventing installation of a specific device
Getting the right device identifier to prevent it from being installed:
1. Get your printers Hardware ID in this example we will use the identifier we found previously
1. Get your printers Hardware ID in this example we'll use the identifier we found previously
![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
@ -414,7 +412,7 @@ Creating the policy to prevent a single printer from being installed:
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button.
4. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the device identifier to block.
4. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to block.
5. Enter the printer device ID you found above WSDPRINT\CanonMX920_seriesC1A0
@ -422,26 +420,26 @@ Creating the policy to prevent a single printer from being installed:
6. Click OK.
7. Click Apply on the bottom right of the policys window. This pushes the policy and blocks the target printer in future installations, but doesnt apply to an existing install.
7. Click Apply on the bottom right of the policys window. This option pushes the policy and blocks the target printer in future installations, but doesnt apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed.
### Testing the scenario
If you completed step #8 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
If you have not completed step #8, follow these steps:
If you haven't completed step #8, follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
2. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
3. You should not be able to reinstall the printer.
3. You shouldn't be able to reinstall the printer.
## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
Now, using the knowledge from both previous scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed.
Now, using the knowledge from both previous scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed.
### Setting up the environment
@ -474,15 +472,15 @@ First create a Prevent Class policy and then create Allow Device one
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
5. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the class identifier to block.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK.
8. Click Apply on the bottom right of the policys window this pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
9. To complete the coverage of all future and existing printers Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed and click OK
@ -494,7 +492,7 @@ First create a Prevent Class policy and then create Allow Device one
9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button.
10. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the device identifier to allow.
10. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to allow.
11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
@ -502,18 +500,18 @@ First create a Prevent Class policy and then create Allow Device one
12. Click OK.
13. Click Apply on the bottom right of the policys window this pushes the policy and allows the target printer to be installed (or stayed installed).
13. Click Apply on the bottom right of the policys window this option pushes the policy and allows the target printer to be installed (or stayed installed).
## Testing the scenario
1. Simply look for your printer under Device Manager or the Windows Settings app and see that it is still there and accessible. Or just print a test document.
1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer you should not be bale to print anything or able to access the printer at all.
2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer you shouldn't be bale to print anything or able to access the printer at all.
## Scenario #4: Prevent installation of a specific USB device
The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you will gain an understanding of how some devices are built into the PnP (Plug and Play) device tree.
The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you'll gain an understanding of how some devices are built into the PnP (Plug and Play) device tree.
### Setting up the environment
@ -521,7 +519,7 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section
2. Make sure all previous Device Installation policies are disabled except Apply layered order of evaluation (this is optional to be On/Off this scenario) although the policy is disabled in default, it is recommended to be enabled in most practical applications.
2. Ensure all previous Device Installation policies are disabled except Apply layered order of evaluation (this prerequisite is optional to be On/Off this scenario) although the policy is disabled in default, it's recommended to be enabled in most practical applications.
### Scenario steps preventing installation of a specific device
@ -546,7 +544,7 @@ Getting the right device identifier to prevent it from being installed and its l
5. Double-click the USB thumb-drive and move to the Details tab.
6. From the Value window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
6. From the Value window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
@ -560,7 +558,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button.
4. In the lower left side, in the Options window, click the Show box. This will take you to a table where you can enter the device identifier to block.
4. In the lower left side, in the Options window, click the Show box. This option will take you to a table where you can enter the device identifier to block.
5. Enter the USB thumb-drive device ID you found above USBSTOR\DiskGeneric_Flash_Disk______8.07
@ -568,24 +566,24 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
6. Click OK.
7. Click Apply on the bottom right of the policys window this pushes the policy and blocks the target USB thumb-drive in future installations, but doesnt apply to an existing install.
7. Click Apply on the bottom right of the policys window this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesnt apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window, mark the checkbox that says also apply to matching devices that are already installed
### Testing the scenario
1. If you have not completed step #8 follow these steps:
1. If you haven't completed step #8 follow these steps:
- Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”.
- You should not be able to reinstall the device.
- You shouldn't be able to reinstall the device.
2. If you completed step #8 above and restarted the machine, simply look for your Disk drives under Device Manager and see that it is no-longer available for you to use.
2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
Now, using the knowledge from all the previous 4 scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed.
Now, using the knowledge from all the previous four scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed.
### Setting up the environment
@ -611,11 +609,11 @@ Getting the device identifier for both the USB Classes and a specific USB thumb-
- USB Device
- Class = USBDevice
- ClassGuid = {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
- USBDevice includes all USB devices that do not belong to another class. This class is not used for USB host controllers and hubs.
- USBDevice includes all USB devices that don't belong to another class. This class isn't used for USB host controllers and hubs.
- Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
As mentioned in scenario #4, it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one are not blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
- “Intel(R) USB 3.0 eXtensible Host Controller 1.0 (Microsoft)” -> PCI\CC_0C03
- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
@ -623,18 +621,18 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I
![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
> [!IMPORTANT]
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an Allow list in such cases. See below for the list:
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an Allow list in such cases. See below for the list:
>
> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
> USB\USB20_HUB (for Generic USB Hubs)/
>
> Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.
> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.
>
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done.
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
First create a Prevent Class policy and then create Allow Device one:
@ -648,7 +646,7 @@ First create a Prevent Class policy and then create Allow Device one
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
5. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the class identifier to block.
5. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the class identifier to block.
6. Enter both USB classes GUID you found above with the curly braces:
@ -657,7 +655,7 @@ First create a Prevent Class policy and then create Allow Device one
7. Click OK.
8. Click Apply on the bottom right of the policys window this pushes the policy and blocks all future USB device installations, but doesnt apply to existing installs.
8. Click Apply on the bottom right of the policys window this option pushes the policy and blocks all future USB device installations, but doesnt apply to existing installs.
> [!IMPORTANT]
> The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
@ -668,7 +666,7 @@ First create a Prevent Class policy and then create Allow Device one
10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button.
11. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the device identifier to allow.
11. In the lower left side, in the Options window, click the Show… box. This option will take you to a table where you can enter the device identifier to allow.
12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation USBSTOR\DiskGeneric_Flash_Disk______8.07
@ -682,4 +680,4 @@ First create a Prevent Class policy and then create Allow Device one
### Testing the scenario
You should not be able to install any USB thumb-drive, except the one you authorized for usage
You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage

8
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -2,13 +2,11 @@
title: Manage the Settings app with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
author: vinaypamnani-msft
ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
---

128
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -1,140 +1,136 @@
---
title: Manage Windows 10 in your organization - transitioning to modern management
description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.date: 04/26/2018
ms.date: 06/03/2022
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
manager: aaroncz
ms.topic: overview
---
# Manage Windows 10 in your organization - transitioning to modern management
Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, its easy for versions to coexist.
Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This managed diversity enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
>[!NOTE]
>The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
> [!NOTE]
> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
- [Deployment and Provisioning](#deployment-and-provisioning)
- [Deployment and Provisioning](#deployment-and-provisioning)
- [Identity and Authentication](#identity-and-authentication)
- [Identity and Authentication](#identity-and-authentication)
- [Configuration](#settings-and-configuration)
- [Configuration](#settings-and-configuration)
- [Updating and Servicing](#updating-and-servicing)
- [Updating and Servicing](#updating-and-servicing)
## Reviewing the management options with Windows 10
Windows 10 offers a range of management options, as shown in the following diagram:
<img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a mobile-first, cloud-first approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
## Deployment and provisioning
With Windows 10, you can continue to use traditional OS deployment, but you can also manage out of the box. To transform new devices into fully-configured, fully-managed devices, you can:
With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
## Identity and authentication
## Identity and Authentication
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain thats [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This provides:
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- Single sign-on to cloud and on-premises resources from everywhere
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview)
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
- Single sign-on to cloud and on-premises resources from everywhere
- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
- Windows Hello
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy.
- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- Windows Hello
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png)
:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
## Settings and Configuration
## Settings and configuration
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorers 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
## Updating and servicing
## Updating and Servicing
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple often automatic patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
## Next steps
There are a variety of steps you can take to begin the process of modernizing device management in your organization:
There are various steps you can take to begin the process of modernizing device management in your organization:
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
**Take incremental steps.** Moving towards modern device management doesnt have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this managed diversity, users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md).
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles:
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
- [Co-management for Windows devices](/mem/configmgr/comanage/overview)
- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10)
- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads)
- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor)
- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads)
- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard)
## Related articles
## Related topics
- [What is Intune?](//mem/intune/fundamentals/what-is-intune)
- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md)

9
windows/client-management/mandatory-user-profile.md
View File

@ -1,15 +1,12 @@
---
title: Create mandatory user profiles (Windows 10 and Windows 11)
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
keywords: [".man","ntuser"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.author: dansimp
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
manager: aaroncz
ms.topic: article
ms.collection: highpri
---

21
windows/client-management/mdm/Language-pack-management-csp.md
View File

@ -2,17 +2,28 @@
title: Language Pack Management CSP
description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10.
ms.reviewer:
manager: dansimp
ms.author: v-nsatapathy
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
author: vinaypamnani-msft
ms.date: 06/22/2021
---
# Language Pack Management CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
@ -81,3 +92,7 @@ The Language Pack Management CSP allows a direct way to provision languages remo
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

33
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -1,25 +1,24 @@
---
title: AccountManagement CSP
description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service.
ms.author: dansimp
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 03/23/2018
ms.reviewer:
manager: dansimp
manager: aaroncz
---
# AccountManagement CSP
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
> [!NOTE]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
The following shows the AccountManagement configuration service provider in tree format.
The following syntax shows the AccountManagement configuration service provider in tree format.
```console
./Vendor/MSFT
@ -41,7 +40,9 @@ Interior node.
<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**
Enable profile lifetime management for shared or communal device scenarios. Default value is false.
Supported operations are Add, Get,Replace, and Delete. Value type is bool.
Supported operations are Add, Get, Replace, and Delete.
Value type is bool.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
@ -52,19 +53,29 @@ Valid values:
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
Supported operations are Add, Get,Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
Supported operations are Add, Get,Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
Supported operations are Add, Get,Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30.
Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
Supported operations are Add, Get,Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

13
windows/client-management/mdm/accountmanagement-ddf.md
View File

@ -1,19 +1,18 @@
---
title: AccountManagement DDF file
description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings.
ms.author: dansimp
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 03/23/2018
ms.reviewer:
manager: dansimp
manager: aaroncz
---
# AccountManagement DDF file
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803.
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
<Description>Enable profile lifetime management for shared or communal device scenarios.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -198,3 +197,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[AccountManagement configuration service provider](accountmanagement-csp.md)

39
windows/client-management/mdm/accounts-csp.md
View File

@ -1,25 +1,34 @@
---
title: Accounts CSP
description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group.
ms.author: dansimp
description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group.
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 03/27/2020
ms.reviewer:
manager: dansimp
manager: aaroncz
---
# Accounts Configuration Service Provider
# Accounts CSP
The table below shows the applicability of Windows:
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later.
The following shows the Accounts configuration service provider in tree format.
The following syntax shows the Accounts configuration service provider in tree format.
```
```console
./Device/Vendor/MSFT
Accounts
----Domain
@ -37,7 +46,7 @@ Root node.
Interior node for the account domain information.
<a href="" id="domain-computername"></a>**Domain/ComputerName**
This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
Available naming macros:
@ -55,15 +64,19 @@ Supported operation is Add.
Interior node for the user account information.
<a href="" id="users-username"></a>**Users/_UserName_**
This node specifies the username for a new local user account. This setting can be managed remotely.
This node specifies the username for a new local user account. This setting can be managed remotely.
<a href="" id="users-username-password"></a>**Users/_UserName_/Password**
This node specifies the password for a new local user account. This setting can be managed remotely.
This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager.
GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager.
<a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**
This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

19
windows/client-management/mdm/accounts-ddf-file.md
View File

@ -1,22 +1,21 @@
---
title: Accounts DDF file
description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 04/17/2018
ms.reviewer:
manager: dansimp
manager: aaroncz
---
# Accounts CSP
# Accounts DDF file
This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider.
The XML below is for Windows 10, version 1803.
The XML below is for Windows 10, version 1803 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -157,7 +156,7 @@ The XML below is for Windows 10, version 1803.
<Add />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<Description>This optional node specifies the local user group that a local user account should be joined. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<DFFormat>
<int />
</DFFormat>
@ -177,3 +176,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[Accounts configuration service provider](accounts-csp.md)

93
windows/client-management/mdm/activesync-csp.md
View File

@ -1,36 +1,43 @@
---
title: ActiveSync CSP
description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# ActiveSync CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term.
The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
```
```console
./Vendor/MSFT
ActiveSync
----Accounts
@ -66,13 +73,11 @@ ActiveSync
The root node for the ActiveSync configuration service provider.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term.
The supported operation is Get.
@ -86,7 +91,7 @@ Defines a specific ActiveSync account. A globally unique identifier (GUID) must
Supported operations are Get, Add, and Delete.
When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account.
When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and doesn't create the new account.
Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:
@ -107,7 +112,7 @@ For OMA DM, you must use the ASCII values of %7B and %7D for the opening and clo
<a href="" id="account-guid-emailaddress"></a>***Account GUID*/EmailAddress**
Required. A character string that specifies the email address associated with the Exchange ActiveSync account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com".
@ -119,21 +124,21 @@ Supported operations are Get, Replace, Add, and Delete.
<a href="" id="account-guid-accounticon"></a>***Account GUID*/AccountIcon**
Required. A character string that specifies the location of the icon associated with the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
<a href="" id="account-guid-accounttype"></a>***Account GUID*/AccountType**
Required. A character string that specifies the account type.
Supported operations are Get and Add (cannot Add after the account is created).
Supported operations are Get and Add (can't Add after the account is created).
This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
This value is entered during setup and can't be modified once entered. An Exchange account is indicated by the string value "Exchange".
<a href="" id="account-guid-accountname"></a>***Account GUID*/AccountName**
Required. A character string that specifies the name that refers to the account on the device.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
<a href="" id="account-guid-password"></a>***Account GUID*/Password**
Required. A character string that specifies the password for the account.
@ -145,14 +150,14 @@ For the Get command, only asterisks are returned.
<a href="" id="account-guid-servername"></a>***Account GUID*/ServerName**
Required. A character string that specifies the server name used by the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
<a href="" id="account-guid-username"></a>***Account GUID*/UserName**
Required. A character string that specifies the user name for the account.
Supported operations are Get, and Add (cannot Add after the account is created).
Supported operations are Get, and Add (can't Add after the account is created).
The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
The user name can't be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
<a href="" id="options"></a>**Options**
Node for other parameters.
@ -163,9 +168,9 @@ Specifies the time window used for syncing calendar items to the device. Value t
<a href="" id="options-logging"></a>**Options/Logging**
Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
Valid values are one of the following:
Valid values are any of the following values:
- 0 (default) - Logging is off.
@ -173,7 +178,7 @@ Valid values are one of the following:
- 2 - Advanced logging is enabled.
Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
Logging is set to off by default. The user might be asked to set this logging to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
<a href="" id="options-mailbodytype"></a>**Options/MailBodyType**
Indicates the email format. Valid values:
@ -185,19 +190,19 @@ Indicates the email format. Valid values:
- 4 - MIME
<a href="" id="options-mailhtmltruncation"></a>**Options/MailHTMLTruncation**
Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
Specifies the size beyond which HTML-formatted email messages are truncated when they're synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-mailplaintexttruncation"></a>**Options/MailPlainTextTruncation**
This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
This setting specifies the size beyond which text-formatted e-mail messages are truncated when they're synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-usessl"></a>**Options/UseSSL**
Optional. A character string that specifies whether SSL is used.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
Valid values are:
- 0 - SSL is not used.
- 0 - SSL isn't used.
- 1 (default) - SSL is used.
@ -206,7 +211,7 @@ Required. A character string that specifies the time until the next sync is perf
Supported operations are Get and Replace.
Valid values are one of the following:
Valid values are any of the following values:
- -1 (default) - A sync will occur as items are received
@ -223,7 +228,7 @@ Required. A character string that specifies the time window used for syncing ema
Supported operations are Get and Replace.
Valid values are one of the following:
Valid values are any of the following values:
- 0 No age filter is used, and all email items are synced to the device.
@ -238,7 +243,7 @@ Valid values are one of the following:
<a href="" id="options-contenttypes-content-type-guid"></a>**Options/ContentTypes/**<strong>*Content Type GUID*</strong>
Defines the type of content to be individually enabled/disabled for sync.
The *GUID* values allowed are one of the following:
The *GUID* values allowed are any of the following values:
- Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}"
@ -251,11 +256,11 @@ The *GUID* values allowed are one of the following:
<a href="" id="options-contenttypes-content-type-guid-enabled"></a>**Options/ContentTypes/*Content Type GUID*/Enabled**
Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
Valid values are one of the following:
Valid values are any of the following values:
- 0 - Sync for email, contacts, calendar, or tasks is disabled.
- 0 - Sync for email, contacts, calendar, or tasks are disabled.
- 1 (default) - Sync is enabled.
<a href="" id="options-contenttypes-content-type-guid-name"></a>**Options/ContentTypes/*Content Type GUID*/Name**
@ -264,8 +269,7 @@ Required. A character string that specifies the name of the content type.
> [!NOTE]
> In Windows 10, this node is currently not working.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Supported operations are Get, Replace, and Add (can't Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
@ -275,7 +279,9 @@ Node for mail body type and email age filter.
<a href="" id="policies-mailbodytype"></a>**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policies-maxmailagefilter"></a>**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
@ -284,7 +290,6 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

21
windows/client-management/mdm/activesync-ddf-file.md
View File

@ -1,20 +1,18 @@
---
title: ActiveSync DDF file
description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 12/05/2017
---
# ActiveSync DDF file
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -533,7 +531,7 @@ The XML below is the current version for this CSP.
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<Description>Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<DFFormat>
<node />
</DFFormat>
@ -679,15 +677,4 @@ The XML below is the current version for this CSP.
## Related topics
[ActiveSync configuration service provider](activesync-csp.md)
 
 

13
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
View File

@ -1,14 +1,13 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 06/26/2017
---
@ -57,7 +56,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)
10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....).
10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange).
![admin center left navigation menu.](images/azure-ad-add-tenant9.png)
@ -75,7 +74,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
![register in azure-ad.](images/azure-ad-add-tenant11.png)
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
![register azuread](images/azure-ad-add-tenant12.png)
@ -87,7 +86,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
![registration in azuread.](images/azure-ad-add-tenant14.png)
6. You will see a welcome page when the process completes.
6. You'll see a welcome page when the process completes.
![register screen of azuread](images/azure-ad-add-tenant15.png)

35
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -1,34 +1,30 @@
---
title: AllJoynManagement CSP
description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# AllJoynManagement CSP
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (`com.microsoft.alljoynmanagement.config`). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> [!NOTE]
> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).
The following example shows the AllJoynManagement configuration service provider in tree format
The following shows the AllJoynManagement configuration service provider in tree format
```
```console
./Vendor/MSFT
AllJoynManagement
----Configurations
@ -64,16 +60,16 @@ The following list describes the characteristics and parameters.
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "`com.microsoft.alljoynmanagement.config`" are included.
<a href="" id="services-node-name"></a>**Services/**<strong>*Node name*</strong>
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
<a href="" id="services-node-name-port"></a>**Services/*Node name*/Port**
The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports.
The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it's possible to specify more ports.
<a href="" id="services-node-name-port-node-name"></a>**Services/*Node name*/Port/**<strong>*Node name*</strong>
Port number used for communication. This is specified by the configurable AllJoyn object and reflected here.
Port number used for communication. This value is specified by the configurable AllJoyn object and reflected here.
<a href="" id="services-node-name-port-node-name-cfgobject"></a>**Services/*Node name*/Port/*Node name*/CfgObject**
The set of configurable interfaces that are available on the port of the AllJoyn object.
@ -81,7 +77,7 @@ The set of configurable interfaces that are available on the port of the AllJoyn
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/**<strong>*Node name*</strong>
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "`\\FabrikamService\\BridgeConfig`" would be specified in the URI as: `%2FFabrikamService%2FBridgeConfig`.
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
@ -89,7 +85,7 @@ This is the credential store. An administrator can set credentials for each AllJ
When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase.
<a href="" id="credentials-node-name"></a>**Credentials/**<strong>*Node name*</strong>
This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID.
This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It's typically implemented as a GUID.
<a href="" id="credentials-node-name-key"></a>**Credentials/*Node name*/Key**
An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard.
@ -105,7 +101,6 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable
## Examples
Set adapter configuration
```xml
@ -128,7 +123,7 @@ SyncML xmlns="SYNCML:SYNCML1.2">
</SyncML>
```
You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting.
You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. The data is base-64 encoded representation of the configuration file that you're setting.
Get PIN data
@ -167,7 +162,9 @@ Get the firewall PrivateProfile
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

21
windows/client-management/mdm/alljoynmanagement-ddf.md
View File

@ -1,20 +1,18 @@
---
title: AllJoynManagement DDF
description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 12/05/2017
---
# AllJoynManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -238,7 +236,7 @@ It is typically implemented as a GUID.</Description>
<Get />
<Replace />
</AccessType>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard</Description>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -328,15 +326,4 @@ It is typically implemented as a GUID.</Description>
## Related topics
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
 
 

39
windows/client-management/mdm/application-csp.md
View File

@ -1,27 +1,38 @@
---
title: APPLICATION configuration service provider
title: APPLICATION CSP
description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# APPLICATION configuration service provider
# APPLICATION CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider.
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
The following list shows the supported transports:
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md).
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md).
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
@ -29,15 +40,5 @@ For the device to decode correctly, provisioning XML that contains the APPLICATI
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

33
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -1,23 +1,20 @@
---
title: ApplicationControl CSP DDF
description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.author: dansimp
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 07/10/2019
---
# ApplicationControl CSP DDF
This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
### ApplicationControl CSP
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -32,7 +29,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Root Node of the ApplicationControl CSP</Description>
<Description>Root Node of the ApplicationControl CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -73,7 +70,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The GUID of the Policy</Description>
<Description>The GUID of the Policy.</Description>
<DFFormat>
<node />
</DFFormat>
@ -97,7 +94,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<Delete />
<Replace />
</AccessType>
<Description>The policy binary encoded as base64</Description>
<Description>The policy binary encoded as base64.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -119,7 +116,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Information Describing the Policy indicated by the GUID</Description>
<Description>Information Describing the Policy indicated by the GUID.</Description>
<DFFormat>
<node />
</DFFormat>
@ -140,7 +137,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type</Description>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -162,7 +159,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)</Description>
<Description>Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -184,7 +181,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)</Description>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -206,7 +203,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system </Description>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. </Description>
<DFFormat>
<bool />
</DFFormat>
@ -228,7 +225,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The Current Status of the Policy Indicated by the Policy GUID</Description>
<Description>The Current Status of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<int />
</DFFormat>
@ -250,7 +247,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID</Description>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -271,4 +268,8 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
</Node>
</Node>
</MgmtTree>
```
```
## Related topics
[ApplicationControl configuration service provider](applicationcontrol-csp.md)

84
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,24 +1,35 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
keywords: security, malware
ms.author: dansimp
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.reviewer: jsuther1974
ms.date: 09/10/2020
---
# ApplicationControl CSP
Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The table below shows the applicability of Windows:
The following shows the ApplicationControl CSP in tree format.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
```
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although, WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The following example shows the ApplicationControl CSP in tree format.
```console
./Vendor/MSFT
ApplicationControl
----Policies
@ -43,6 +54,7 @@ ApplicationControl
----TenantID
----DeviceID
```
<a href="" id="vendor-msft-applicationcontrol"></a>**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@ -73,21 +85,21 @@ An interior node that contains the nodes that describe the policy indicated by t
Scope is dynamic. Supported operation is Get.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-version"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version**
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type.
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type.
Scope is dynamic. Supported operation is Get.
Value type is char.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-iseffective"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective**
This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system.
This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system.
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
- TrueIndicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
- FalseIndicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
- TrueIndicates that the policy is loaded by the enforcement engine and is in effect on a system.
- FalseIndicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-isdeployed"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed**
This node specifies whether a policy is deployed on the system and is present on the physical machine.
@ -96,24 +108,24 @@ Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
- TrueIndicates that the policy is deployed on the system and is present on the physical machine.
- FalseIndicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
- TrueIndicates that the policy is deployed on the system and is present on the physical machine.
- FalseIndicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-isauthorized"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized**
This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system.
This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system.
Scope is dynamic. Supported operation is Get.
Value type is bool. Supported values are as follows:
- TrueIndicates that the policy is authorized to be loaded by the enforcement engine on the system.
- FalseIndicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
- TrueIndicates that the policy is authorized to be loaded by the enforcement engine on the system.
- FalseIndicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value.
The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes:
|IsAuthorized | IsDeployed | IsEffective | Resultant |
|------------ | ---------- | ----------- | --------- |
|True|True|True|Policy is currently running and in effect.|
|True|True|True|Policy is currently running and is in effect.|
|True|True|False|Policy requires a reboot to take effect.|
|True|False|True|Policy requires a reboot to unload from CI.|
|False|True|True|Not Reachable.|
@ -122,14 +134,14 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-status"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
Scope is dynamic. Supported operation is Get.
Value type is integer. Default value is 0 == OK.
Value type is integer. Default value is 0 = OK.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-friendlyname"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**
This node provides the friendly name of the policy indicated by the policy GUID.
@ -138,17 +150,17 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
## Microsoft Endpoint Manager Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
In order to leverage the ApplicationControl CSP without using Intune, you must:
In order to use the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>` or `<PolicyTypeID>` for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool.
2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the `certutil -encode` command-line tool.
Below is a sample certutil invocation:
@ -171,7 +183,7 @@ To deploy base policy and supplemental policies:
1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
2. Repeat for each base or supplemental policy (with its own GUID and data).
The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and doesn't need that reflected in the ADD).
#### Example 1: Add first base policy
@ -240,7 +252,7 @@ The following table displays the result of Get operation on different nodes:
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
The following is an example of Get command:
An example of Get command is:
```xml
<Get>
@ -257,7 +269,7 @@ The following is an example of Get command:
#### Rebootless Deletion
Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This sequence will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
#### Unsigned Policies
@ -266,7 +278,7 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon
#### Signed Policies
> [!NOTE]
> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** isn't sufficient to delete a signed policy.
To delete a signed policy:
@ -274,7 +286,7 @@ To delete a signed policy:
2. Deploy another update with unsigned Allow All policy.
3. Perform delete.
The following is an example of Delete command:
An example of Delete command is:
```xml
<Delete>
@ -289,12 +301,12 @@ The following is an example of Delete command:
## PowerShell and WMI Bridge Usage Guidance
The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64
2. Open PowerShell in Local System context (through PSExec or something similar)
1. Convert your WDAC policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:
```powershell
@ -305,7 +317,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi
### Deploying a policy via WMI Bridge
Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces.
Run the following command. PolicyID is a GUID that can be found in the policy xml, and should be used here without braces.
```powershell
New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="<PolicyID>";Policy=$policyBase64}
@ -315,4 +327,8 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
```powershell
Get-CimInstance -Namespace $namespace -ClassName $policyClassName
```
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

102
windows/client-management/mdm/applocker-csp.md
View File

@ -1,23 +1,32 @@
---
title: AppLocker CSP
description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 11/19/2019
---
# AppLocker CSP
The table below shows the applicability of Windows:
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The following shows the AppLocker configuration service provider in tree format.
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
The following example shows the AppLocker configuration service provider in tree format.
```console
./Vendor/MSFT
@ -74,16 +83,14 @@ Defines restrictions for applications.
> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
> [!NOTE]
> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
Additional information:
> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
<a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
Supported operations are Get, Add, Delete, and Replace.
@ -96,14 +103,14 @@ Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
@ -125,7 +132,7 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-msi-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
@ -144,7 +151,7 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-script-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
@ -163,7 +170,7 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
@ -182,7 +189,7 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
@ -206,31 +213,34 @@ Data type is Base64.
Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
<a href="" id="applocker-enterprisedataprotection"></a>**AppLocker/EnterpriseDataProtection**
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
You can set the allowed list using the following URI:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy
You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy
Exempt examples:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy
Additional information:
- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
- [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
<a href="" id="applocker-enterprisedataprotection-grouping"></a>**AppLocker/EnterpriseDataProtection/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
Supported operations are Get, Add, Delete, and Replace.
@ -259,19 +269,19 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive).
2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
The **Device Portal** page opens on your browser.
![device portal screenshot.](images/applocker-screenshot1.png)
3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
![device portal app manager.](images/applocker-screenshot3.png)
5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
![app manager.](images/applocker-screenshot2.png)
@ -279,11 +289,11 @@ The following table shows the mapping of information to the AppLocker publisher
|Device portal data|AppLocker publisher rule field|
|--- |--- |
|PackageFullName|ProductName<br><br> The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|Publisher|Publisher|
|Version|Version<br> <br>This can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
|Version|Version<br> <br>The version can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
Here is an example AppLocker publisher rule:
Here's an example AppLocker publisher rule:
```xml
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*">
@ -293,13 +303,13 @@ Here is an example AppLocker publisher rule:
You can get the publisher name and product name of apps using a web API.
**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
Request URI:
@ -307,7 +317,7 @@ Request URI:
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
```
Here is the example for Microsoft OneNote:
Here's the example for Microsoft OneNote:
Request
@ -330,13 +340,13 @@ Result
|--- |--- |
|packageIdentityName|ProductName|
|publisherCertificateName|Publisher|
|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. <br> <br> This value will only be present if there is a XAP package associated with the app in the Store. <br> <br>If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. <br> <br> This value will only be present if there's a XAP package associated with the app in the Store. <br> <br>If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
## <a href="" id="settingssplashapps"></a>Settings apps that rely on splash apps
These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
The product name is first part of the PackageFullName followed by the version number.
@ -359,17 +369,13 @@ The product name is first part of the PackageFullName followed by the version nu
| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
## <a href="" id="inboxappsandcomponents"></a>Inbox apps and components
The following list shows the apps that may be included in the inbox.
> [!NOTE]
> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
|App|Product ID|Product name|
|--- |--- |--- |
|3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)|
@ -526,7 +532,7 @@ The following example blocks the usage of the map application.
</SyncML>
```
The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
@ -1022,7 +1028,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
```
## Example for Windows 10 Holographic for Business
The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings.
The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings.
```xml
<RuleCollection Type="Appx" EnforcementMode="Enabled">
@ -1276,8 +1282,9 @@ The following example for Windows 10 Holographic for Business denies all apps an
</RuleCollection>
```
## Recommended deny list for Windows Information Protection
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
## Recommended blocklist for Windows Information Protection
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
In this example, Contoso is the node name. We recommend using a GUID for this node.
@ -1460,5 +1467,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

21
windows/client-management/mdm/applocker-ddf-file.md
View File

@ -1,20 +1,18 @@
---
title: AppLocker DDF file
description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 12/05/2017
---
# AppLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -672,15 +670,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
## Related topics
[AppLocker configuration service provider](applocker-csp.md)
 
 
[AppLocker configuration service provider](applocker-csp.md)

8
windows/client-management/mdm/applocker-xsd.md
View File

@ -1,20 +1,18 @@
---
title: AppLocker XSD
description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 06/26/2017
---
# AppLocker XSD
Here's the XSD for the AppLocker CSP.
```xml

12
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -1,14 +1,14 @@
---
title: Deploy and configure App-V apps using MDM
description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server.
ms.author: dansimp
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 06/26/2017
ms.reviewer:
manager: dansimp
manager: aaroncz
---
# Deploy and configure App-V apps using MDM
@ -23,7 +23,7 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
The following example shows the EnterpriseAppVManagement configuration service provider in tree format.
```console
./Vendor/MSFT
@ -54,7 +54,7 @@ EnterpriseAppVManagement
------------Policy
```
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.</p>
<p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
@ -144,7 +144,7 @@ EnterpriseAppVManagement
#### Configure App-V client
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts assists in package deployments (add and publish of App-V apps).</p>
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).</p>
```xml
<Replace>

7
windows/client-management/mdm/assign-seats.md
View File

@ -1,14 +1,13 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business.
ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
author: vinaypamnani-msft
ms.date: 09/18/2017
---

209
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -1,37 +1,47 @@
---
title: AssignedAccess CSP
description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode.
ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 09/18/2018
author: vinaypamnani-msft
ms.date: 05/03/2022
---
# AssignedAccess CSP
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
> [!Warning]
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following shows the AssignedAccess configuration service provider in tree format
The following example shows the AssignedAccess configuration service provider in tree format
```
```console
./Vendor/MSFT
AssignedAccess
----KioskModeApp
@ -40,21 +50,22 @@ AssignedAccess
----ShellLauncher (Added in Windows 10, version 1803)
----StatusConfiguration (Added in Windows 10, version 1803)
```
<a href="" id="--vendor-msft-assignedaccess"></a>**./Device/Vendor/MSFT/AssignedAccess**
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app).
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
> [!Note]
> You cannot set both KioskModeApp and ShellLauncher at the same time on the device.
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
@ -66,21 +77,22 @@ Here's an example:
> [!Tip]
> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\.
>
> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string. 
>
> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
When the kiosk mode app is being configured, the account name will be used to find the target user. The account name includes domain name and user name.
> [!Note]
> The domain name can be optional if the user name is unique across the system.
> The domain name can be optional, if the user name is unique across the system.
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
<a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key.
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
@ -91,18 +103,18 @@ Enterprises can use this to easily configure and manage the curated lockdown exp
Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies back (for example, Start Layout).
<a href="" id="assignedaccess-status"></a>**./Device/Vendor/MSFT/AssignedAccess/Status**
Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode.
In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible statuses available for single app kiosk mode.
|Status |Description |
|---------|---------|---------|
| KioskModeAppRunning | This means the kiosk app is running normally. |
| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. |
| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
| KioskModeAppRunning | This status means the kiosk app is running normally. |
| KioskModeAppNotFound | This state occurs when the kiosk app isn't deployed to the machine. |
| KioskModeAppActivationFailure | This state occurs when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
> [!NOTE]
> Status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
@ -113,7 +125,7 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito
| 2 | KioskModeAppNotFound |
| 3 | KioskModeAppActivationFailure |
Additionally, the status payload includes a profileId that can be used by the MDM server to correlate which kiosk app caused the error.
Additionally, the status payload includes a profileId that can be used by the MDM server to correlate as to which kiosk app caused the error.
In Windows 10, version 1809, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes.
@ -136,27 +148,27 @@ In Windows 10, version 1809, Assigned Access runtime status supports monitoring
Additionally, the Status payload includes the following fields:
- profileId: can be used by the MDM server to correlate which account caused the error.
- OperationList: list of failed operations that occurred while applying the assigned access CSP, if any exist.
- profileId: It can be used by the MDM server to correlate which account caused the error.
- OperationList: It gives the list of failed operations that occurred while applying the assigned access CSP, if any exist.
Supported operation is Get.
<a href="" id="assignedaccess-shelllauncher"></a>**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
Added in Windows 10, version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
> [!Note]
> You cannot set both ShellLauncher and KioskModeApp at the same time on the device.
> You can't set both ShellLauncher and KioskModeApp at the same time on the device.
>
> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
>
>The ShellLauncher node is not supported in Windows 10 Pro.
<a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
This MDM alert header is defined as follows:
@ -254,7 +266,7 @@ KioskModeApp Replace
## AssignedAccessConfiguration XSD
Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release.
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -265,11 +277,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
@ -279,8 +293,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attributeGroup ref="ClassicApp_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="ClassicApp_attributeGroup">
<xs:attribute ref="v4:ClassicAppPath"/>
<xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="profile_t">
<xs:choice>
<xs:sequence minOccurs="1" maxOccurs="1">
@ -289,7 +309,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutualExclusionAumidOrClassicAppPath">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/>
</xs:key>
<xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/>
</xs:unique>
</xs:element>
<xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:choice>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
@ -390,6 +422,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
<xs:simpleType name="specialGroupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Visitor"/>
<xs:enumeration value="DeviceOwner"/>
</xs:restriction>
</xs:simpleType>
@ -428,10 +461,11 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
</xs:schema>);
```
Here is the schema for new features introduced in Windows 10 1809 release
Here's the schema for new features introduced in Windows 10 1809 release:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -477,6 +511,7 @@ Here is the schema for new features introduced in Windows 10 1809 release
```
Schema for Windows 10 prerelease
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -506,7 +541,33 @@ Schema for Windows 10 prerelease
</xs:schema>
```
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization.
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1"
xmlns="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<xs:attribute name="ClassicAppPath" type="xs:string"/>
<xs:attribute name="ClassicAppArguments" type="xs:string"/>
<xs:element name="BreakoutSequence" type="BreakoutSequence_t" />
<xs:complexType name="BreakoutSequence_t">
<xs:attribute name="Key" type="xs:string" use="required"/>
</xs:complexType>
</xs:schema>
```
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
@ -521,6 +582,7 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
## Example AssignedAccessConfiguration XML
Example XML configuration for a multi-app kiosk:
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
@ -572,13 +634,60 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
</AssignedAccessConfiguration>
```
Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>EdgeKioskUser</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
> [!NOTE]
> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
<v4:BreakoutSequence Key="Ctrl+A"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>EdgeKioskUser</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
## Configuration examples
XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, youll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, youll have nested CDATA, so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Escape and CDATA are mechanisms when handling xml in xml. Consider its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both end user who configures the CSP and transparent to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
Escape and CDATA are mechanisms used when handling xml in xml. Consider that its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both, the end user who configures the CSP and to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
This example shows escaped XML of the Data node.
@ -894,8 +1003,8 @@ StatusConfiguration Add OnWithAlerts
</SyncML>
```
StatusConfiguration Delete
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
@ -962,6 +1071,7 @@ StatusConfiguration Replace On
## Status example
Status Get
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
@ -1237,6 +1347,11 @@ ShellLauncherConfiguration Add
ShellLauncherConfiguration Add AutoLogon
This function creates an autologon account on your behalf. It's a standard user with no password. The autologon account is managed by AssignedAccessCSP, so the account name isn't exposed.
> [!Note]
> The autologon function is designed to be used after OOBE with provisioning packages.
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
@ -1478,4 +1593,8 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C
</Config>
</Configs>
</AssignedAccessConfiguration>
```
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

Some files were not shown because too many files have changed in this diff Show More