From 928b15d8189160f74404235e0ea35c744d5fee40 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Fri, 4 Aug 2017 09:11:30 -0700 Subject: [PATCH 1/6] typo --- .../change-history-for-application-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index 7bef51c2dd..92e5039334 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -18,6 +18,6 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) | New or changed topic | Description | | --- | --- | | [Service Host process refactoring](svchost-service-refactoring.md) | New | -| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New | +| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New | From f55d1bb651f61e1f0ef2cb2b0445eee2087099d8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 4 Aug 2017 16:24:12 +0000 Subject: [PATCH 2/6] Updated create-or-edit-the-sms-defmof-file.md --- .../create-or-edit-the-sms-defmof-file.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md index bfe000fee3..574338d185 100644 --- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md +++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md @@ -32,8 +32,8 @@ In the following sections, complete the instructions that correspond to the vers // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("BitLocker Encryption Details"), SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")] @@ -66,9 +66,9 @@ In the following sections, complete the instructions that correspond to the vers [ SMS_Report (TRUE) ] Boolean IsAutoUnlockEnabled; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")] @@ -112,8 +112,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Operating System Ex"), SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ] @@ -126,8 +126,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Computer System Ex"), SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ] @@ -194,8 +194,8 @@ In the following sections, complete the instructions that correspond to the vers // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("BitLocker Encryption Details"), SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")] @@ -229,8 +229,8 @@ In the following sections, complete the instructions that correspond to the vers Boolean IsAutoUnlockEnabled; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"), @@ -275,8 +275,8 @@ In the following sections, complete the instructions that correspond to the vers string EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"), @@ -322,8 +322,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Operating System Ex"), SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ] @@ -336,8 +336,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Computer System Ex"), SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ] From 8edaf288c5c40972d42e23823dacc349dd5bc5a9 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 4 Aug 2017 16:24:52 +0000 Subject: [PATCH 3/6] Merged PR 2547: CredentialProviders/DisableAutomaticReDeploymentCredentials - renamed the policy in Policy CSP --- ...ew-in-windows-mdm-enrollment-management.md | 27 ++++++++++++++++++- .../policy-configuration-service-provider.md | 2 +- .../mdm/policy-csp-credentialproviders.md | 9 ++++--- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ff7ed8e468..668b0b1ce3 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -969,7 +969,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s [Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1709:

    -
  • CredentialProviders/EnableWindowsAutoPilotResetCredentials
    • +
  • CredentialProviders/DisableAutomaticReDeploymentCredentials
  • DeviceGuard/EnableVirtualizationBasedSecurity
  • DeviceGuard/RequirePlatformSecurityFeatures
  • DeviceGuard/LsaCfgFlags
    • @@ -1280,6 +1280,31 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### August 2017 + + ++++ + + + + + + + + + + + + + + + +
    New or updated topicDescription
    [CM_ProxyEntries CSP](cm-proxyentries-csp.md)

    Updated the description of PuposeGroups node to add the GUID for applications. This node is required instead of optional.

    +
    [Policy CSP](policy-configuration-service-provider.md)Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.
    + ### July 2017 diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7659b059e9..e4b452f608 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -534,7 +534,7 @@ The following diagram shows the Policy configuration service provider in tree fo CredentialProviders/BlockPicturePassword
    - CredentialProviders/EnableWindowsAutoPilotResetCredentials + CredentialProviders/DisableAutomaticReDeploymentCredentials
    diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 66d1f6d390..4ea0afb98d 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -124,7 +124,7 @@ ADMX Info: -**CredentialProviders/EnableWindowsAutoPilotResetCredentials** +**CredentialProviders/DisableAutomaticReDeploymentCredentials**
    @@ -150,11 +150,12 @@ ADMX Info: -Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device. +Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. -The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students. +The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. -Default value is 0. +- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment +- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment From 34d7ec4c8fdd4e5759f92215ae112878b6d29a7b Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Fri, 4 Aug 2017 20:14:16 +0000 Subject: [PATCH 4/6] Merged PR 2577: removed false sku supports introduced via bug in automation removed false sku supports introduced via bug in automation --- .../mdm/policy-csp-textinput.md | 20 ---------------- .../client-management/mdm/policy-csp-wifi.md | 24 +------------------ .../mdm/policy-csp-wirelessdisplay.md | 20 ---------------- 3 files changed, 1 insertion(+), 63 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index a301e620e4..213a633652 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -364,26 +364,6 @@ ms.date: 07/14/2017 **TextInput/AllowKoreanExtendedHanja** -
    - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 14181da459..2a91601f05 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -23,26 +23,6 @@ ms.date: 07/14/2017 **WiFi/AllowWiFiHotSpotReporting** - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    @@ -303,8 +283,6 @@ Footnote: -## Wifi policies supported by Microsoft Surface Hub - -- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) + diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 535bc242b7..7662a3bdcb 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -163,26 +163,6 @@ ms.date: 07/14/2017 **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** - - - - - - - - - - - - - - - - - - - -
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    From 096b2a990552006e484d8ae49350628e80022405 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 4 Aug 2017 21:29:03 +0000 Subject: [PATCH 5/6] Merged PR 2578: New LocalPoliciesSecurityOption policies in Policy CSP --- windows/client-management/mdm/TOC.md | 1 + ...ew-in-windows-mdm-enrollment-management.md | 63 +- .../policy-configuration-service-provider.md | 78 +- ...policy-csp-localpoliciessecurityoptions.md | 1197 +++++++++++++++++ 4 files changed, 1332 insertions(+), 7 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 4dbf9db55b..f586df7407 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -203,6 +203,7 @@ #### [InternetExplorer](policy-csp-internetexplorer.md) #### [Kerberos](policy-csp-kerberos.md) #### [Licensing](policy-csp-licensing.md) +#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) #### [Location](policy-csp-location.md) #### [LockDown](policy-csp-lockdown.md) #### [Maps](policy-csp-maps.md) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 668b0b1ce3..ddbd9bfab8 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/28/2017 +ms.date: 08/04/2017 --- # What's new in MDM enrollment and management @@ -973,6 +973,30 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • DeviceGuard/EnableVirtualizationBasedSecurity
  • DeviceGuard/RequirePlatformSecurityFeatures
  • DeviceGuard/LsaCfgFlags
    • +
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
    • +
  • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
    • +
  • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
    • +
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
    • +
  • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
    • +
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
  • Power/DisplayOffTimeoutOnBattery
  • Power/DisplayOffTimeoutPluggedIn
  • Power/HibernateTimeoutOnBattery
    • @@ -1295,13 +1319,40 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware -[CM_ProxyEntries CSP](cm-proxyentries-csp.md) -

    Updated the description of PuposeGroups node to add the GUID for applications. This node is required instead of optional.

    +[CM\_CellularEntries CSP](cm-cellularentries-csp.md) +

    Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

    [Policy CSP](policy-configuration-service-provider.md) -Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials. - +

    Added the following new policies for Windows 10, version 1709:

    +
      +
    • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
      • +
    • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
      • +
    • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
      • +
    • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
      • +
    • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
      • +
    • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
      • +
    • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
      • +
    • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
      • +
    • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
      • +
    • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
      • +
    • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
      • +
    • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
      • +
    +

    Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.

    + @@ -1338,7 +1389,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Education/DefaultPrinterName
    • Education/PreventAddingNewPrinters
      • -
    • Education/PrinterNames
      • +
    • Education/PrinterNames
    • Security/ClearTPMIfNotReady
    • WindowsDefenderSecurityCenter/CompanyName
    • WindowsDefenderSecurityCenter/DisableAppBrowserUI
      • diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e4b452f608..8887d570cb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/27/2017 +ms.date: 08/04/2017 --- # Policy CSP @@ -1778,6 +1778,82 @@ The following diagram shows the Policy configuration service provider in tree fo +### LocalPoliciesSecurityOptions policies + +
      +
      + LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts +
      +
      + LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus +
      +
      + LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus +
      +
      + LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly +
      + LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount +
      +
      + LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked +
      +
      + LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn +
      +
      + LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn +
      +
      + LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn +
      +
      + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn +
      +
      + LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests +
      +
      + LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon +
      +
      + LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation +
      +
      + LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations +
      +
      + ### Location policies
      diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md new file mode 100644 index 0000000000..62c962b525 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -0,0 +1,1197 @@ +--- +title: Policy CSP - LocalPoliciesSecurityOptions +description: Policy CSP - LocalPoliciesSecurityOptions +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 08/04/2017 +--- + +# Policy CSP - LocalPoliciesSecurityOptions + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
      + +## LocalPoliciesSecurityOptions policies + + +**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +This policy setting prevents users from adding new Microsoft accounts on this computer. + +If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. + +If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. + +If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. + +Valid values: +- 0 - disabled (users will be able to use Microsoft accounts with Windows) +- 1 - enabled (users cannot add Microsoft accounts) +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +This security setting determines whether the local Administrator account is enabled or disabled. + +If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. +Disabling the Administrator account can become a maintenance issue under certain circumstances. + +Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. + +Default: Disabled. +Valid values: +- 0 - local Administrator account is disabled +- 1 - local Administrator account is enabled + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +This security setting determines if the Guest account is enabled or disabled. + +Default: Disabled. +Valid values: +- 0 - local Guest account is disabled +- 1 - local Guest account is enabled + +Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Accounts: Limit local account use of blank passwords to console logon only + +This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. + +Default: Enabled. +Valid values: +- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console +- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard + +Warning: + +Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. +If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. + +This setting does not affect logons that use domain accounts. +It is possible for applications that use remote interactive logons to bypass this setting. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Accounts: Rename administrator account + +This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. + +Default: Administrator. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Accounts: Rename guest account + +This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. + +Default: Guest. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive Logon:Display user information when the session is locked + +Valid values: +- 1 - User display name, domain and user names +- 2 - User display name only +- 3 - Do not display user information + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Don't display last signed-in + +This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. +If this policy is enabled, the username will not be shown. + +If this policy is disabled, the username will be shown. + +Default: Disabled. +Valid values: +- 0 - disabled (username will be shown) +- 1 - enabled (username will not be shown) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Don't display username at sign-in + +This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. + +If this policy is enabled, the username will not be shown. + +If this policy is disabled, the username will be shown. + +Default: Disabled. +Valid values: +- 0 - disabled (username will be shown) +- 1 - enabled (username will not be shown) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Do not require CTRL+ALT+DEL + +This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. + +If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. + +If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. + +Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. +Default on stand-alone computers: Enabled. +Valid values: +- 0 - disabled +- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Machine inactivity limit. + +Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. + +Default: not enforced. +Valid values: +- 0 - disabled +- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Message text for users attempting to log on + +This security setting specifies a text message that is displayed to users when they log on. + +This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. + +Default: No message. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +Interactive logon: Message title for users attempting to log on + +This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. + +Default: No message. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +Network security: Allow PKU2U authentication requests to this computer to use online identities. + +This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. + +Valid values: +- 0 - disabled +- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +Recovery console: Allow automatic administrative logon + +This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. + +Default: This policy is not defined and automatic administrative logon is not allowed. +Valid values: +- 0 - disabled +- 1 - enabled (allow automatic administrative logon) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +Shutdown: Allow system to be shut down without having to log on + +This security setting determines whether a computer can be shut down without having to log on to Windows. + +When this policy is enabled, the Shut Down command is available on the Windows logon screen. + +When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. + +Default on workstations: Enabled. +Default on servers: Disabled. +Valid values: +- 0 - disabled +- 1 - enabled (allow system to be shut down without having to log on) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. + +This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. + +Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. + +Disabled: (Default) +Valid values: +- 0 - disabled +- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop) + +The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode + +This policy setting controls the behavior of the elevation prompt for administrators. + +The options are: + +• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. + +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. + +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + +• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Behavior of the elevation prompt for standard users +This policy setting controls the behavior of the elevation prompt for standard users. + +The options are: + +• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. + +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Only elevate executable files that are signed and validated + +This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. + +The options are: +- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. +- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Only elevate UIAccess applications that are installed in secure locations + +This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: + +- …\Program Files\, including subfolders +- …\Windows\system32\ +- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows + +Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. + +The options are: +- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. +- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Turn on Admin Approval Mode + +This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. + +The options are: +- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. + + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Switch to the secure desktop when prompting for elevation + +This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. + +The options are: +- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + +**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + +User Account Control: Virtualize file and registry write failures to per-user locations + +This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. + +The options are: +- 0 - Disabled: Applications that write data to protected locations fail. +- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + \ No newline at end of file From 2a5aedc30fa45eac55ddbd9bd7819dc2ce0b2511 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Fri, 4 Aug 2017 21:34:35 +0000 Subject: [PATCH 6/6] Merged PR 2579: small edit of VDA instructions a more complete definition of VDA --- windows/deployment/vda-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 4eead9a058..8d3a787f3c 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -12,7 +12,7 @@ author: greg-lindsay # Configure VDA for Windows 10 Subscription Activation -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license. +This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. ## Requirements