deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

bring even with main, fix merge conflict

Browse Source
This commit is contained in:
Aaron Czechowski 2023-08-08 12:33:38 -07:00
commit bd824dbc6f
68 changed files with 2004 additions and 1425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.windows-deployment.json
View File

@ -1104,6 +1104,11 @@
"source_path": "windows/deployment/windows-10-deployment-tools-reference.md", "source_path": "windows/deployment/windows-10-deployment-tools-reference.md",
"redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device",
"redirect_document_id": true
} }
] ]
} }

8
education/includes/education-content-updates.md
View File

@ -2,6 +2,14 @@
## Week of July 31, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 8/3/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
## Week of July 24, 2023 ## Week of July 24, 2023

182
education/windows/windows-11-se-overview.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE Overview title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system. description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview ms.topic: overview
ms.date: 07/25/2023 ms.date: 08/03/2023
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection: ms.collection:
@ -35,11 +35,11 @@ The following table lists the different application types available in Windows o
| --- | --- | :---: | ---| | --- | --- | :---: | ---|
|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.| |Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. | | Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.| |`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.| |Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
> [!IMPORTANT] > [!IMPORTANT]
> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). > If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
## Applications included in Windows 11 SE ## Applications included in Windows 11 SE
@ -50,10 +50,10 @@ The following table lists all the applications included in Windows 11 SE and the
| Alarm & Clock | UWP | | | | Alarm & Clock | UWP | | |
| Calculator | UWP | ✅ | | | Calculator | UWP | ✅ | |
| Camera | UWP | ✅ | | | Camera | UWP | ✅ | |
| Microsoft Edge | Win32 | ✅ | ✅ | | Microsoft Edge | `Win32` | ✅ | ✅ |
| Excel | Win32 | ✅ | | | Excel | `Win32` | ✅ | |
| Feedback Hub | UWP | | | | Feedback Hub | UWP | | |
| File Explorer | Win32 | | ✅ | | File Explorer | `Win32` | | ✅ |
| FlipGrid | PWA | | | | FlipGrid | PWA | | |
| Get Help | UWP | | | | Get Help | UWP | | |
| Media Player | UWP | ✅ | | | Media Player | UWP | ✅ | |
@ -61,20 +61,20 @@ The following table lists all the applications included in Windows 11 SE and the
| Minecraft: Education Edition | UWP | | | | Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | | | Movies & TV | UWP | | |
| News | UWP | | | | News | UWP | | |
| Notepad | Win32 | | | | Notepad | `Win32` | | |
| OneDrive | Win32 | | | | OneDrive | `Win32` | | |
| OneNote | Win32 | ✅ | | | OneNote | `Win32` | ✅ | |
| Outlook | PWA | ✅ | | | Outlook | PWA | ✅ | |
| Paint | Win32 | ✅ | | | Paint | `Win32` | ✅ | |
| Photos | UWP | | | | Photos | UWP | | |
| PowerPoint | Win32 | ✅ | | | PowerPoint | `Win32` | ✅ | |
| Settings | UWP | ✅ | | | Settings | UWP | ✅ | |
| Snip & Sketch | UWP | | | | Snip & Sketch | UWP | | |
| Sticky Notes | UWP | | | | Sticky Notes | UWP | | |
| Teams | Win32 | ✅ | | | Teams | `Win32` | ✅ | |
| To Do | UWP | | | | To Do | UWP | | |
| Whiteboard | UWP | ✅ | | | Whiteboard | UWP | ✅ | |
| Word | Win32 | ✅ | | | Word | `Win32` | ✅ | |
## Available applications ## Available applications
@ -82,98 +82,98 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor | | Application | Supported version | App Type | Vendor |
|-------------------------------------------|-------------------|----------|-------------------------------------------| |-------------------------------------------|-------------------|----------|-------------------------------------------|
| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` | | `3d builder` | 18.0.1931.0 | `Win32` | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` | | `Absolute Software Endpoint Agent` | 7.20.0.1 | `Win32` | `Absolute Software Corporation` |
| `AirSecure` | 8.0.0 | Win32 | `AIR` | | `AirSecure` | 8.0.0 | `Win32` | `AIR` |
| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` | | `Alertus Desktop` | 5.4.48.0 | `Win32` | `Alertus technologies` |
| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` | | `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` |
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` | | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` | | `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` | | `Cisco Umbrella` | 3.0.110.0 | `Win32` | `Cisco` |
| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` | | `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` |
| `Class Policy` | 116.0.0 | Win32 | `Class Policy` | | `Class Policy` | 116.0.0 | `Win32` | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | | `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` |
| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` | | `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | | `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | | `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | | `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` |
| `DigiExam` | 14.0.6 | Win32 | `Digiexam` | | `DigiExam` | 14.0.6 | `Win32` | `Digiexam` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | | `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` | | `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | | `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` |
| `Dyknow` | 7.9.13.7 | Win32 | `Dyknow` | | `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | Win32 | `e-speaking` | | `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` |
| `EasyReader` | 10.0.4.498 | Win32 | `Dolphin Computer Access` | | `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` |
| `Easysense 2` | 1.32.0001 | Win32 | `Data Harvest` | | `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` | | `Epson iProjection` | 3.31 | `Win32` | `Epson` |
| `eTests` | 4.0.25 | Win32 | `CASAS` | | `eTests` | 4.0.25 | `Win32` | `CASAS` |
| `Exam Writepad` | 22.10.14.1834 | Win32 | `Sheldnet` | | `Exam Writepad` | 22.10.14.1834 | `Win32` | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` | | `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` | | `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | | `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | | `Ghotit Real Writer & Reader` | 10.14.2.3 | `Win32` | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` | | `GoGuardian` | 1.4.4 | `Win32` | `GoGuardian` |
| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` | | `Google Chrome` | 110.0.5481.178 | `Win32` | `Google` |
| `GuideConnect` | 1.24 | Win32 | `Dolphin Computer Access` | | `GuideConnect` | 1.24 | `Win32` | `Dolphin Computer Access` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` | | `Illuminate Lockdown Browser` | 2.0.5 | `Win32` | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` | | `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` |
| `Impero Backdrop Client` | 5.0.87 | Win32 | `Impero Software` | | `Impero Backdrop Client` | 5.0.87 | `Win32` | `Impero Software` |
| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` | | `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` |
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` | | `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` | | `JAWS for Windows` | 2022.2112.24 | `Win32` | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` | | `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` |
| `Keyman` | 16.0.138 | Win32 | `SIL International` | | `Keyman` | 16.0.138 | `Win32` | `SIL International` |
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` | | `Kurzweil 3000 Assistive Learning` | 20.13.0000 | `Win32` | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` | | `LanSchool Classic` | 9.1.0.46 | `Win32` | `Stoneware, Inc.` |
| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` | | `LanSchool Air` | 2.0.13312 | `Win32` | `Stoneware, Inc.` |
| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` | | `Lightspeed Smart Agent` | 1.9.1 | `Win32` | `Lightspeed Systems` |
| `Lightspeed Filter Agent` | 2.3.4 | Win32 | `Lightspeed Systems` | | `Lightspeed Filter Agent` | 2.3.4 | `Win32` | `Lightspeed Systems` |
| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` | | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` | | `Mozilla Firefox` | 105.0.0 | `Win32` | `Mozilla` |
| `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` | | `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` |
| `NAPLAN` | 5.2.2 | Win32 | `NAP` | | `NAPLAN` | 5.2.2 | `Win32` | `NAP` |
| `Netref Student` | 23.1.0 | Win32 | `NetRef` | | `Netref Student` | 23.1.0 | `Win32` | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` | | `NetSupport Manager` | 12.01.0014 | `Win32` | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` | | `NetSupport Notify` | 5.10.1.215 | `Win32` | `NetSupport` |
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` | | `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` |
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` | | `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` | | `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.387.0 | Win32 | `NWEA` | | `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` |
| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` | | `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` | | `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` | | `PaperCut` | 22.0.6 | `Win32` | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` | | `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` |
| `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` | | `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` |
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` | | `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` | | `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | Win32 | `Microsoft` | | `Remote Desktop client (MSRDC)` | 1.2.4066.0 | `Win32` | `Microsoft` |
| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` | | `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` | | `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | Win32 | `Safe Exam Browser` | | `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` |
|`SchoolYear` | 3.4.21 | Win32 |`SchoolYear` | |`SchoolYear` | 3.4.21 | `Win32` |`SchoolYear` |
|`School Manager` | 3.6.8.1109 | Win32 |`School Manager` | |`School Manager` | 3.6.8.1109 | `Win32` |`School Manager` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | | `Senso.Cloud` | 2021.11.15.0 | `Win32` | `Senso.Cloud` |
| `Skoolnext` | 2.19 | Win32 | `Skool.net` | | `Skoolnext` | 2.19 | `Win32` | `Skool.net` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` | | `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 22.02 | Win32 | `Dolphin Computer Access` | | `SuperNova Magnifier & Screen Reader` | 22.02 | `Win32` | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` | | `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | |`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | | `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | | `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.29 | Win32 | `WordQ` | | `WordQ` | 5.4.29 | `Win32` | `WordQ` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` | | `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` |
| `ZoomText Fusion` | 2023.2303.77.400 | Win32 | `Freedom Scientific` | | `ZoomText Fusion` | 2023.2303.77.400 | `Win32` | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | Win32 | `Freedom Scientific` | | `ZoomText Magnifier/Reader` | 2023.2303.33.400 | `Win32` | `Freedom Scientific` |
## Add your own applications ## Add your own applications
If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. If the applications you need aren't in the [available applications list](#available-applications), you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
Microsoft reviews every app request to make sure each app meets the following requirements: Microsoft reviews every app request to make sure each app meets the following requirements:
- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more - Apps can be any native Windows app type, such as a Microsoft Store app, `Win32` app, `.MSIX`, `.APPX`, and more
- Apps must be in one of the following app categories: - Apps must be in one of the following app categories:
- Content Filtering apps - Content Filtering apps
- Test Taking solutions - Test Taking solutions

4
includes/licensing/_edition-requirements.md
View File

@ -44,11 +44,11 @@ ms.topic: include
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes| |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes| |**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes| |**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes| |**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes| |**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes| |**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
|**OneFuzz service**|Yes|Yes|Yes|Yes| |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes| |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes| |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|

4
includes/licensing/_licensing-requirements.md
View File

@ -44,11 +44,11 @@ ms.topic: include
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes| |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes| |**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes| |**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
|**OneFuzz service**|Yes|Yes|Yes|Yes|Yes| |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes| |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes| |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|

4
includes/licensing/federated-sign-in.md
View File

@ -15,8 +15,8 @@ The following table lists the Windows editions that support Federated sign-in:
Federated sign-in license entitlements are granted by the following licenses: Federated sign-in license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:| |:---:|:---:|:---:|:---:|:---:|
|No|No|No|Yes|Yes| |Yes|No|No|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

7
windows/application-management/apps-in-windows-10.md
View File

@ -45,14 +45,15 @@ There are different types of apps that can run on your Windows client devices. T
- **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development). - **Windows Presentation Foundation (WPF)**: Using .NET, you can create a WPF desktop app that runs on the device, or create a WPF web app. This app is commonly used by organizations that create line of business (LOB) desktop apps. For more information, see [WPF Application Development](/dotnet/desktop/wpf/app-development).
- **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview). - **Windows Forms (WinForm)**: Using .NET, you can create a Windows Forms desktop app that runs on the device, and doesn't require a web browser or internet access. Just like Win32 apps, WinForm apps can access the local hardware and file system of the computer where the app is running. For more information, see [Desktop Guide (Windows Forms .NET)](/dotnet/desktop/winforms/overview).
- **Windows apps**: - **Windows apps**:
> [!TIP] > [!TIP]
> Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/). > Starting with Windows 10, you can use the **Windows UI Library (WinUI 3)** to create .NET, Win32 desktop, and UWP apps. This library includes native Windows UI controls and other user interface elements familiar to Windows users. For more information, see [Windows UI Library (WinUI)](/windows/apps/winui/).
- **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps: - **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps:
- **Provisioned**: Installed in user account the first time you sign in with a new user account. For a list of some common provisioned apps, see [Provisioned apps installed with the Windows client OS](provisioned-apps-windows-client-os.md). - **Provisioned**: Installed in user account the first time you sign in with a new user account. To get a list of all the provisioned apps, use Windows PowerShell: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName` The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
- **Installed**: Installed as part of the OS. - **Installed**: Installed as part of the OS.
- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps. - **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
@ -63,7 +64,7 @@ There are different types of apps that can run on your Windows client devices. T
For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows). For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
- **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. For a list of some common system apps, see [System apps installed with the Windows client OS](system-apps-windows-client-os.md). - **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. To get a list of all the system apps, use Windows PowerShell: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation` The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform. - **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.

326
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 07/06/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -34,7 +34,9 @@ The following list shows the Defender configuration service provider nodes:
- [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions) - [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
- [DataDuplicationDirectory](#configurationdataduplicationdirectory) - [DataDuplicationDirectory](#configurationdataduplicationdirectory)
- [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod) - [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
- [DataDuplicationMaximumQuota](#configurationdataduplicationmaximumquota)
- [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation) - [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation)
- [DaysUntilAggressiveCatchupQuickScan](#configurationdaysuntilaggressivecatchupquickscan)
- [DefaultEnforcement](#configurationdefaultenforcement) - [DefaultEnforcement](#configurationdefaultenforcement)
- [DeviceControl](#configurationdevicecontrol) - [DeviceControl](#configurationdevicecontrol)
- [PolicyGroups](#configurationdevicecontrolpolicygroups) - [PolicyGroups](#configurationdevicecontrolpolicygroups)
@ -44,6 +46,7 @@ The following list shows the Defender configuration service provider nodes:
- [{RuleId}](#configurationdevicecontrolpolicyrulesruleid) - [{RuleId}](#configurationdevicecontrolpolicyrulesruleid)
- [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata) - [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
- [DeviceControlEnabled](#configurationdevicecontrolenabled) - [DeviceControlEnabled](#configurationdevicecontrolenabled)
- [DisableCacheMaintenance](#configurationdisablecachemaintenance)
- [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans) - [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
- [DisableDatagramProcessing](#configurationdisabledatagramprocessing) - [DisableDatagramProcessing](#configurationdisabledatagramprocessing)
- [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing) - [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
@ -58,20 +61,24 @@ The following list shows the Defender configuration service provider nodes:
- [DisableSmtpParsing](#configurationdisablesmtpparsing) - [DisableSmtpParsing](#configurationdisablesmtpparsing)
- [DisableSshParsing](#configurationdisablesshparsing) - [DisableSshParsing](#configurationdisablesshparsing)
- [DisableTlsParsing](#configurationdisabletlsparsing) - [DisableTlsParsing](#configurationdisabletlsparsing)
- [EnableConvertWarnToBlock](#configurationenableconvertwarntoblock)
- [EnableDnsSinkhole](#configurationenablednssinkhole) - [EnableDnsSinkhole](#configurationenablednssinkhole)
- [EnableFileHashComputation](#configurationenablefilehashcomputation) - [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EngineUpdatesChannel](#configurationengineupdateschannel) - [EngineUpdatesChannel](#configurationengineupdateschannel)
- [ExcludedIpAddresses](#configurationexcludedipaddresses)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins) - [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers) - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled) - [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate) - [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation) - [PassiveRemediation](#configurationpassiveremediation)
- [PerformanceModeStatus](#configurationperformancemodestatus)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel) - [PlatformUpdatesChannel](#configurationplatformupdateschannel)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled) - [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime) - [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
- [SecuredDevicesConfiguration](#configurationsecureddevicesconfiguration) - [SecuredDevicesConfiguration](#configurationsecureddevicesconfiguration)
- [SecurityIntelligenceLocationUpdateAtScheduledTimeOnly](#configurationsecurityintelligencelocationupdateatscheduledtimeonly)
- [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel) - [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
- [SupportLogLocation](#configurationsupportloglocation) - [SupportLogLocation](#configurationsupportloglocation)
- [TamperProtection](#configurationtamperprotection) - [TamperProtection](#configurationtamperprotection)
@ -306,7 +313,7 @@ This settings controls whether Network Protection is allowed to be configured in
<!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-Begin --> <!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-End --> <!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-End -->
<!-- Device-Configuration-AllowSwitchToAsyncInspection-OmaUri-Begin --> <!-- Device-Configuration-AllowSwitchToAsyncInspection-OmaUri-Begin -->
@ -468,6 +475,45 @@ Define the retention period in days of how much time the evidence data will be k
<!-- Device-Configuration-DataDuplicationLocalRetentionPeriod-End --> <!-- Device-Configuration-DataDuplicationLocalRetentionPeriod-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Begin -->
### Configuration/DataDuplicationMaximumQuota
<!-- Device-Configuration-DataDuplicationMaximumQuota-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-DataDuplicationMaximumQuota-Applicability-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationMaximumQuota
```
<!-- Device-Configuration-DataDuplicationMaximumQuota-OmaUri-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-Begin -->
<!-- Description-Source-DDF -->
Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-End -->
<!-- Device-Configuration-DataDuplicationRemoteLocation-Begin --> <!-- Device-Configuration-DataDuplicationRemoteLocation-Begin -->
### Configuration/DataDuplicationRemoteLocation ### Configuration/DataDuplicationRemoteLocation
@ -507,6 +553,47 @@ Define data duplication remote location for device control.
<!-- Device-Configuration-DataDuplicationRemoteLocation-End --> <!-- Device-Configuration-DataDuplicationRemoteLocation-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Begin -->
### Configuration/DaysUntilAggressiveCatchupQuickScan
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Applicability-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DaysUntilAggressiveCatchupQuickScan
```
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-OmaUri-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
<!-- Description-Source-DDF -->
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0,7-60]` |
| Default Value | 25 |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-End -->
<!-- Device-Configuration-DefaultEnforcement-Begin --> <!-- Device-Configuration-DefaultEnforcement-Begin -->
### Configuration/DefaultEnforcement ### Configuration/DefaultEnforcement
@ -873,6 +960,45 @@ Control Device Control feature.
<!-- Device-Configuration-DeviceControlEnabled-End --> <!-- Device-Configuration-DeviceControlEnabled-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Begin -->
### Configuration/DisableCacheMaintenance
<!-- Device-Configuration-DisableCacheMaintenance-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-DisableCacheMaintenance-Applicability-End -->
<!-- Device-Configuration-DisableCacheMaintenance-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DisableCacheMaintenance
```
<!-- Device-Configuration-DisableCacheMaintenance-OmaUri-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Description-Begin -->
<!-- Description-Source-DDF -->
Defines whether the cache maintenance idle task will perform the cache maintenance or not.
<!-- Device-Configuration-DisableCacheMaintenance-Description-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCacheMaintenance-Editable-End -->
<!-- Device-Configuration-DisableCacheMaintenance-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-DisableCacheMaintenance-DFProperties-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-End -->
<!-- Device-Configuration-DisableCacheMaintenance-End -->
<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Begin --> <!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Begin -->
### Configuration/DisableCpuThrottleOnIdleScans ### Configuration/DisableCpuThrottleOnIdleScans
@ -928,7 +1054,7 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
<!-- Device-Configuration-DisableDatagramProcessing-Applicability-Begin --> <!-- Device-Configuration-DisableDatagramProcessing-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-DisableDatagramProcessing-Applicability-End --> <!-- Device-Configuration-DisableDatagramProcessing-Applicability-End -->
<!-- Device-Configuration-DisableDatagramProcessing-OmaUri-Begin --> <!-- Device-Configuration-DisableDatagramProcessing-OmaUri-Begin -->
@ -1282,7 +1408,7 @@ This setting disables Inbound connection filtering for Network Protection.
<!-- Device-Configuration-DisableLocalAdminMerge-Description-Begin --> <!-- Device-Configuration-DisableLocalAdminMerge-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings. When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
<!-- Device-Configuration-DisableLocalAdminMerge-Description-End --> <!-- Device-Configuration-DisableLocalAdminMerge-Description-End -->
<!-- Device-Configuration-DisableLocalAdminMerge-Editable-Begin --> <!-- Device-Configuration-DisableLocalAdminMerge-Editable-Begin -->
@ -1304,8 +1430,8 @@ When this value is set to false, it allows a local admin the ability to specify
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 1 | Disable Local Admin Merge. | | 1 | Yes. |
| 0 (Default) | Enable Local Admin Merge. | | 0 (Default) | No. |
<!-- Device-Configuration-DisableLocalAdminMerge-AllowedValues-End --> <!-- Device-Configuration-DisableLocalAdminMerge-AllowedValues-End -->
<!-- Device-Configuration-DisableLocalAdminMerge-Examples-Begin --> <!-- Device-Configuration-DisableLocalAdminMerge-Examples-Begin -->
@ -1559,6 +1685,55 @@ This setting disables TLS Parsing for Network Protection.
<!-- Device-Configuration-DisableTlsParsing-End --> <!-- Device-Configuration-DisableTlsParsing-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Begin -->
### Configuration/EnableConvertWarnToBlock
<!-- Device-Configuration-EnableConvertWarnToBlock-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-EnableConvertWarnToBlock-Applicability-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/EnableConvertWarnToBlock
```
<!-- Device-Configuration-EnableConvertWarnToBlock-OmaUri-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Description-Begin -->
<!-- Description-Source-DDF -->
This setting controls whether network protection blocks network traffic instead of displaying a warning.
<!-- Device-Configuration-EnableConvertWarnToBlock-Description-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Editable-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-EnableConvertWarnToBlock-DFProperties-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | Warn verdicts are converted to block. |
| 0 (Default) | Warn verdicts aren't converted to block. |
<!-- Device-Configuration-EnableConvertWarnToBlock-AllowedValues-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Examples-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-End -->
<!-- Device-Configuration-EnableDnsSinkhole-Begin --> <!-- Device-Configuration-EnableDnsSinkhole-Begin -->
### Configuration/EnableDnsSinkhole ### Configuration/EnableDnsSinkhole
@ -1710,6 +1885,45 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
<!-- Device-Configuration-EngineUpdatesChannel-End --> <!-- Device-Configuration-EngineUpdatesChannel-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Begin -->
### Configuration/ExcludedIpAddresses
<!-- Device-Configuration-ExcludedIpAddresses-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-ExcludedIpAddresses-Applicability-End -->
<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
```
<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Description-Begin -->
<!-- Description-Source-DDF -->
Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
<!-- Device-Configuration-ExcludedIpAddresses-Description-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-ExcludedIpAddresses-Editable-End -->
<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-ExcludedIpAddresses-Examples-End -->
<!-- Device-Configuration-ExcludedIpAddresses-End -->
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Begin --> <!-- Device-Configuration-HideExclusionsFromLocalAdmins-Begin -->
### Configuration/HideExclusionsFromLocalAdmins ### Configuration/HideExclusionsFromLocalAdmins
@ -2008,6 +2222,55 @@ Setting to control automatic remediation for Sense scans.
<!-- Device-Configuration-PassiveRemediation-End --> <!-- Device-Configuration-PassiveRemediation-End -->
<!-- Device-Configuration-PerformanceModeStatus-Begin -->
### Configuration/PerformanceModeStatus
<!-- Device-Configuration-PerformanceModeStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- Device-Configuration-PerformanceModeStatus-Applicability-End -->
<!-- Device-Configuration-PerformanceModeStatus-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus
```
<!-- Device-Configuration-PerformanceModeStatus-OmaUri-End -->
<!-- Device-Configuration-PerformanceModeStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.
<!-- Device-Configuration-PerformanceModeStatus-Description-End -->
<!-- Device-Configuration-PerformanceModeStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-PerformanceModeStatus-Editable-End -->
<!-- Device-Configuration-PerformanceModeStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-PerformanceModeStatus-DFProperties-End -->
<!-- Device-Configuration-PerformanceModeStatus-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
| 1 | Performance mode is disabled. A service restart is required after changing this value. |
<!-- Device-Configuration-PerformanceModeStatus-AllowedValues-End -->
<!-- Device-Configuration-PerformanceModeStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-PerformanceModeStatus-Examples-End -->
<!-- Device-Configuration-PerformanceModeStatus-End -->
<!-- Device-Configuration-PlatformUpdatesChannel-Begin --> <!-- Device-Configuration-PlatformUpdatesChannel-Begin -->
### Configuration/PlatformUpdatesChannel ### Configuration/PlatformUpdatesChannel
@ -2101,7 +2364,7 @@ In Microsoft Defender Antivirus, randomize the start time of the scan to any int
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. | | 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. |
| 0 | Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. | | 0 | Scheduled tasks won't be randomized. |
<!-- Device-Configuration-RandomizeScheduleTaskTimes-AllowedValues-End --> <!-- Device-Configuration-RandomizeScheduleTaskTimes-AllowedValues-End -->
<!-- Device-Configuration-RandomizeScheduleTaskTimes-Examples-Begin --> <!-- Device-Configuration-RandomizeScheduleTaskTimes-Examples-Begin -->
@ -2239,6 +2502,55 @@ Defines what are the devices primary ids that should be secured by Defender Devi
<!-- Device-Configuration-SecuredDevicesConfiguration-End --> <!-- Device-Configuration-SecuredDevicesConfiguration-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Begin -->
### Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Applicability-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
```
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-OmaUri-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It's used together with the shared security intelligence location (SecurityIntelligenceLocation).
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Description-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Editable-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-DFProperties-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time. |
| 0 (Default) | If you either disable or don't configure this setting, updates occur whenever a new security intelligence update is detected at the location that's specified by SecurityIntelligenceLocation. |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-AllowedValues-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Examples-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-End -->
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin --> <!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin -->
### Configuration/SecurityIntelligenceUpdatesChannel ### Configuration/SecurityIntelligenceUpdatesChannel

253
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 07/06/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1033,6 +1033,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>ExcludedIpAddresses</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>AllowNetworkProtectionOnWinServer</NodeName> <NodeName>AllowNetworkProtectionOnWinServer</NodeName>
<DFProperties> <DFProperties>
@ -1121,7 +1151,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings</Description> <Description>When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -1141,11 +1171,11 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>1</MSFT:Value> <MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Disable Local Admin Merge</MSFT:ValueDescription> <MSFT:ValueDescription>Yes</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0</MSFT:Value> <MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Enable Local Admin Merge</MSFT:ValueDescription> <MSFT:ValueDescription>No</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -1827,7 +1857,7 @@ The following XML file contains the device description framework (DDF) for the D
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion> <MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
@ -1842,6 +1872,45 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>EnableConvertWarnToBlock</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting controls whether network protection blocks network traffic instead of displaying a warning</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Warn verdicts are converted to block</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Warn verdicts are not converted to block</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>DisableNetworkProtectionPerfTelemetry</NodeName> <NodeName>DisableNetworkProtectionPerfTelemetry</NodeName>
<DFProperties> <DFProperties>
@ -1998,6 +2067,84 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>PerformanceModeStatus</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22000</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Performance mode is enabled (default). A service restart is required after changing this value.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Performance mode is disabled. A service restart is required after changing this value.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>SecurityIntelligenceLocationUpdateAtScheduledTimeOnly</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It is used together with the shared security intelligence location (SecurityIntelligenceLocation).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you either disable or do not configure this setting, updates occur whenever a new security intelligence update is detected at the location that is specified by SecurityIntelligenceLocation.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>ThrottleForScheduledScanOnly</NodeName> <NodeName>ThrottleForScheduledScanOnly</NodeName>
<DFProperties> <DFProperties>
@ -2037,6 +2184,38 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>DaysUntilAggressiveCatchupQuickScan</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0,7-60]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>ASROnlyPerRuleExclusions</NodeName> <NodeName>ASROnlyPerRuleExclusions</NodeName>
<DFProperties> <DFProperties>
@ -2157,6 +2336,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>DataDuplicationMaximumQuota</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>DataDuplicationLocalRetentionPeriod</NodeName> <NodeName>DataDuplicationLocalRetentionPeriod</NodeName>
<DFProperties> <DFProperties>
@ -2418,7 +2627,7 @@ The following XML file contains the device description framework (DDF) for the D
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion> <MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
@ -2467,7 +2676,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0</MSFT:Value> <MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.</MSFT:ValueDescription> <MSFT:ValueDescription>Scheduled tasks will not be randomized.</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -2511,6 +2720,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>DisableCacheMaintenance</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines whether the cache maintenance idle task will perform the cache maintenance or not.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node> </Node>
<Node> <Node>
<NodeName>Scan</NodeName> <NodeName>Scan</NodeName>

78
windows/client-management/mdm/firewall-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/15/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Firewall-Begin --> <!-- Firewall-Begin -->
# Firewall CSP # Firewall CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Firewall-Editable-Begin --> <!-- Firewall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
@ -3061,7 +3063,7 @@ This value configures the security association idle time, in seconds. Security a
<!-- Device-MdmStore-HyperVFirewallRules-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-OmaUri-Begin -->
@ -3100,7 +3102,7 @@ A list of rules controlling traffic through the Windows Firewall for Hyper-V con
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-OmaUri-Begin -->
@ -3142,7 +3144,7 @@ Unique alpha numeric identifier for the rule. The rule name mustn't include a fo
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-OmaUri-Begin -->
@ -3194,7 +3196,7 @@ Specifies the action the rule enforces:
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-OmaUri-Begin -->
@ -3249,7 +3251,7 @@ If not specified the default is OUT.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-OmaUri-Begin -->
@ -3299,7 +3301,7 @@ If not specified - a new rule is disabled by default.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-OmaUri-Begin -->
@ -3351,7 +3353,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-OmaUri-Begin -->
@ -3391,7 +3393,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-Begin -->
@ -3430,7 +3432,7 @@ Specifies the friendly name of the Hyper-V Firewall rule.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-OmaUri-Begin -->
@ -3470,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-OmaUri-Begin -->
@ -3520,7 +3522,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-OmaUri-Begin -->
@ -3560,7 +3562,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-OmaUri-Begin -->
@ -3610,7 +3612,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-OmaUri-Begin -->
@ -3650,7 +3652,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-OmaUri-Begin -->
@ -3689,7 +3691,7 @@ Provides information about the specific version of the rule in deployment for mo
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-End --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-OmaUri-Begin --> <!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-OmaUri-Begin -->
@ -3729,7 +3731,7 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G
<!-- Device-MdmStore-HyperVVMSettings-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-OmaUri-Begin -->
@ -3768,7 +3770,7 @@ Settings for the Windows Firewall for Hyper-V containers. Each setting applies o
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-OmaUri-Begin -->
@ -3810,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-OmaUri-Begin -->
@ -3859,7 +3861,7 @@ This value is used as an on/off switch. If this value is true, applicable host f
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-OmaUri-Begin -->
@ -3909,7 +3911,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-OmaUri-Begin -->
@ -3959,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-OmaUri-Begin -->
@ -3997,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4047,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4097,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4147,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-OmaUri-Begin -->
@ -4196,7 +4198,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-OmaUri-Begin -->
@ -4245,7 +4247,7 @@ This value is an on/off switch for the Hyper-V Firewall. This value controls the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-OmaUri-Begin -->
@ -4294,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-OmaUri-Begin -->
@ -4332,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4382,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4432,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4482,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-OmaUri-Begin -->
@ -4531,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-OmaUri-Begin -->
@ -4569,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4619,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4669,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4719,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-End --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-OmaUri-Begin --> <!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-OmaUri-Begin -->

30
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 06/02/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -2815,6 +2815,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType> <DFType>
<DDFName /> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName> <NodeName>
@ -3025,6 +3029,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>false</MSFT:Value> <MSFT:Value>false</MSFT:Value>
@ -3055,6 +3063,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType> <DFType>
<DDFName /> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>EnableFirewall</NodeName> <NodeName>EnableFirewall</NodeName>
@ -3244,6 +3256,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType> <DFType>
<DDFName /> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>EnableFirewall</NodeName> <NodeName>EnableFirewall</NodeName>
@ -3433,6 +3449,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType> <DFType>
<DDFName /> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>EnableFirewall</NodeName> <NodeName>EnableFirewall</NodeName>
@ -4424,6 +4444,10 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<DFType> <DFType>
<DDFName /> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName> <NodeName>
@ -4808,6 +4832,10 @@ If not specified - a new rule is disabled by default.</Description>
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Flag"> <MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value> <MSFT:Value>0x1</MSFT:Value>

34
windows/client-management/mdm/laps-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- LAPS-Begin --> <!-- LAPS-Begin -->
# LAPS CSP # LAPS CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LAPS-Editable-Begin --> <!-- LAPS-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings). The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@ -54,7 +56,7 @@ The following list shows the LAPS configuration service provider nodes:
<!-- Device-Actions-Applicability-Begin --> <!-- Device-Actions-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-Applicability-End --> <!-- Device-Actions-Applicability-End -->
<!-- Device-Actions-OmaUri-Begin --> <!-- Device-Actions-OmaUri-Begin -->
@ -93,7 +95,7 @@ Defines the parent interior node for all action-related settings in the LAPS CSP
<!-- Device-Actions-ResetPassword-Applicability-Begin --> <!-- Device-Actions-ResetPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-ResetPassword-Applicability-End --> <!-- Device-Actions-ResetPassword-Applicability-End -->
<!-- Device-Actions-ResetPassword-OmaUri-Begin --> <!-- Device-Actions-ResetPassword-OmaUri-Begin -->
@ -133,7 +135,7 @@ This action invokes an immediate reset of the local administrator account passwo
<!-- Device-Actions-ResetPasswordStatus-Applicability-Begin --> <!-- Device-Actions-ResetPasswordStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-ResetPasswordStatus-Applicability-End --> <!-- Device-Actions-ResetPasswordStatus-Applicability-End -->
<!-- Device-Actions-ResetPasswordStatus-OmaUri-Begin --> <!-- Device-Actions-ResetPasswordStatus-OmaUri-Begin -->
@ -178,7 +180,7 @@ The value returned is an HRESULT code:
<!-- Device-Policies-Applicability-Begin --> <!-- Device-Policies-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-Applicability-End --> <!-- Device-Policies-Applicability-End -->
<!-- Device-Policies-OmaUri-Begin --> <!-- Device-Policies-OmaUri-Begin -->
@ -218,7 +220,7 @@ Root node for LAPS policies.
<!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-Begin --> <!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-End --> <!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-End -->
<!-- Device-Policies-ADEncryptedPasswordHistorySize-OmaUri-Begin --> <!-- Device-Policies-ADEncryptedPasswordHistorySize-OmaUri-Begin -->
@ -268,7 +270,7 @@ This setting has a maximum allowed value of 12 passwords.
<!-- Device-Policies-AdministratorAccountName-Applicability-Begin --> <!-- Device-Policies-AdministratorAccountName-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-AdministratorAccountName-Applicability-End --> <!-- Device-Policies-AdministratorAccountName-Applicability-End -->
<!-- Device-Policies-AdministratorAccountName-OmaUri-Begin --> <!-- Device-Policies-AdministratorAccountName-OmaUri-Begin -->
@ -313,7 +315,7 @@ Note if a custom managed local administrator account name is specified in this s
<!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-Begin --> <!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-End --> <!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-End -->
<!-- Device-Policies-ADPasswordEncryptionEnabled-OmaUri-Begin --> <!-- Device-Policies-ADPasswordEncryptionEnabled-OmaUri-Begin -->
@ -375,7 +377,7 @@ If not specified, this setting defaults to True.
<!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-Begin --> <!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-End --> <!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-End -->
<!-- Device-Policies-ADPasswordEncryptionPrincipal-OmaUri-Begin --> <!-- Device-Policies-ADPasswordEncryptionPrincipal-OmaUri-Begin -->
@ -431,7 +433,7 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-BackupDirectory-Applicability-Begin --> <!-- Device-Policies-BackupDirectory-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-BackupDirectory-Applicability-End --> <!-- Device-Policies-BackupDirectory-Applicability-End -->
<!-- Device-Policies-BackupDirectory-OmaUri-Begin --> <!-- Device-Policies-BackupDirectory-OmaUri-Begin -->
@ -489,7 +491,7 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-PasswordAgeDays-Applicability-Begin --> <!-- Device-Policies-PasswordAgeDays-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordAgeDays-Applicability-End --> <!-- Device-Policies-PasswordAgeDays-Applicability-End -->
<!-- Device-Policies-PasswordAgeDays-OmaUri-Begin --> <!-- Device-Policies-PasswordAgeDays-OmaUri-Begin -->
@ -537,7 +539,7 @@ This setting has a maximum allowed value of 365 days.
<!-- Device-Policies-PasswordComplexity-Applicability-Begin --> <!-- Device-Policies-PasswordComplexity-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordComplexity-Applicability-End --> <!-- Device-Policies-PasswordComplexity-Applicability-End -->
<!-- Device-Policies-PasswordComplexity-OmaUri-Begin --> <!-- Device-Policies-PasswordComplexity-OmaUri-Begin -->
@ -599,7 +601,7 @@ If not specified, this setting will default to 4.
<!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-Begin --> <!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-End --> <!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-End -->
<!-- Device-Policies-PasswordExpirationProtectionEnabled-OmaUri-Begin --> <!-- Device-Policies-PasswordExpirationProtectionEnabled-OmaUri-Begin -->
@ -655,7 +657,7 @@ If not specified, this setting defaults to True.
<!-- Device-Policies-PasswordLength-Applicability-Begin --> <!-- Device-Policies-PasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordLength-Applicability-End --> <!-- Device-Policies-PasswordLength-Applicability-End -->
<!-- Device-Policies-PasswordLength-OmaUri-Begin --> <!-- Device-Policies-PasswordLength-OmaUri-Begin -->
@ -702,7 +704,7 @@ This setting has a maximum allowed value of 64 characters.
<!-- Device-Policies-PostAuthenticationActions-Applicability-Begin --> <!-- Device-Policies-PostAuthenticationActions-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PostAuthenticationActions-Applicability-End --> <!-- Device-Policies-PostAuthenticationActions-Applicability-End -->
<!-- Device-Policies-PostAuthenticationActions-OmaUri-Begin --> <!-- Device-Policies-PostAuthenticationActions-OmaUri-Begin -->
@ -759,7 +761,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<!-- Device-Policies-PostAuthenticationResetDelay-Applicability-Begin --> <!-- Device-Policies-PostAuthenticationResetDelay-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PostAuthenticationResetDelay-Applicability-End --> <!-- Device-Policies-PostAuthenticationResetDelay-Applicability-End -->
<!-- Device-Policies-PostAuthenticationResetDelay-OmaUri-Begin --> <!-- Device-Policies-PostAuthenticationResetDelay-OmaUri-Begin -->

52
windows/client-management/mdm/passportforwork-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -34,6 +34,7 @@ The following list shows the PassportForWork configuration service provider node
- [Policies](#devicetenantidpolicies) - [Policies](#devicetenantidpolicies)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning) - [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery) - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
- [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices) - [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices)
- [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12) - [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12)
- [PINComplexity](#devicetenantidpoliciespincomplexity) - [PINComplexity](#devicetenantidpoliciespincomplexity)
@ -265,6 +266,55 @@ If the user forgets their PIN, it can be changed to a new PIN using the Windows
<!-- Device-{TenantId}-Policies-EnablePinRecovery-End --> <!-- Device-{TenantId}-Policies-EnablePinRecovery-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Begin -->
#### Device/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
```
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-OmaUri-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Description-Begin -->
<!-- Description-Source-DDF -->
Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Description-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Editable-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-DFProperties-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | Disabled. |
| true | Enabled. |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-AllowedValues-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Examples-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-End -->
<!-- Device-{TenantId}-Policies-ExcludeSecurityDevices-Begin --> <!-- Device-{TenantId}-Policies-ExcludeSecurityDevices-Begin -->
#### Device/{TenantId}/Policies/ExcludeSecurityDevices #### Device/{TenantId}/Policies/ExcludeSecurityDevices

41
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 06/02/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -814,6 +814,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>EnableWindowsHelloProvisioningForSecurityKeys</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>DisablePostLogonProvisioning</NodeName> <NodeName>DisablePostLogonProvisioning</NodeName>
<DFProperties> <DFProperties>

424
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/01/2023 ms.date: 08/07/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -64,8 +64,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_AppXRuntime ## ADMX_AppXRuntime
- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) - [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) - [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md) - [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md)
@ -141,7 +139,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md) - [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md) - [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md) - [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md) - [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md) - [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md)
@ -221,7 +218,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoRecycleBinIcon](policy-csp-admx-desktop.md) - [NoRecycleBinIcon](policy-csp-admx-desktop.md)
- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md) - [NoDesktopCleanupWizard](policy-csp-admx-desktop.md)
- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md) - [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md)
- [NoDesktop](policy-csp-admx-desktop.md)
## ADMX_DeviceCompat ## ADMX_DeviceCompat
@ -542,7 +538,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md) - [DisableAOACProcessing](policy-csp-admx-grouppolicy.md)
- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md) - [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md)
- [RSoPLogging](policy-csp-admx-grouppolicy.md) - [RSoPLogging](policy-csp-admx-grouppolicy.md)
- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md)
- [FontMitigation](policy-csp-admx-grouppolicy.md) - [FontMitigation](policy-csp-admx-grouppolicy.md)
## ADMX_Help ## ADMX_Help
@ -1163,10 +1158,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_PowerShellExecutionPolicy ## ADMX_PowerShellExecutionPolicy
- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) - [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) - [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) - [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
@ -1339,7 +1330,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md) - [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md)
- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md) - [Run_Startup_Script_Sync](policy-csp-admx-scripts.md)
- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md) - [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md)
- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md)
- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md) - [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md)
## ADMX_sdiageng ## ADMX_sdiageng
@ -1509,14 +1499,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoAutoTrayNotify](policy-csp-admx-startmenu.md) - [NoAutoTrayNotify](policy-csp-admx-startmenu.md)
- [Intellimenus](policy-csp-admx-startmenu.md) - [Intellimenus](policy-csp-admx-startmenu.md)
- [NoInstrumentation](policy-csp-admx-startmenu.md) - [NoInstrumentation](policy-csp-admx-startmenu.md)
- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md)
- [NoSetTaskbar](policy-csp-admx-startmenu.md)
- [NoChangeStartMenu](policy-csp-admx-startmenu.md)
- [NoUninstallFromStart](policy-csp-admx-startmenu.md)
- [NoTrayContextMenu](policy-csp-admx-startmenu.md)
- [NoMoreProgramsList](policy-csp-admx-startmenu.md)
- [HidePowerOptions](policy-csp-admx-startmenu.md) - [HidePowerOptions](policy-csp-admx-startmenu.md)
- [NoRun](policy-csp-admx-startmenu.md)
## ADMX_SystemRestore ## ADMX_SystemRestore
@ -1590,8 +1573,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md) - [NoSystraySystemPromotion](policy-csp-admx-taskbar.md)
- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md) - [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md)
- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md) - [TaskbarNoThumbnail](policy-csp-admx-taskbar.md)
- [DisableNotificationCenter](policy-csp-admx-taskbar.md)
- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md)
## ADMX_tcpip ## ADMX_tcpip
@ -1849,132 +1830,13 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Travel](policy-csp-admx-userexperiencevirtualization.md) - [Travel](policy-csp-admx-userexperiencevirtualization.md)
- [Video](policy-csp-admx-userexperiencevirtualization.md) - [Video](policy-csp-admx-userexperiencevirtualization.md)
- [Weather](policy-csp-admx-userexperiencevirtualization.md) - [Weather](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
- [Calculator](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md)
- [Notepad](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md)
- [Wordpad](policy-csp-admx-userexperiencevirtualization.md)
- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md) - [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md) - [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md)
- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md)
- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md) - [EnableUEV](policy-csp-admx-userexperiencevirtualization.md)
- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md) - [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md)
- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md)
- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md) - [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md)
- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md)
- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md)
- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md) - [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md)
- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md)
- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md)
- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md) - [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md)
- [Finance](policy-csp-admx-userexperiencevirtualization.md)
- [Games](policy-csp-admx-userexperiencevirtualization.md)
- [Maps](policy-csp-admx-userexperiencevirtualization.md)
- [Music](policy-csp-admx-userexperiencevirtualization.md)
- [News](policy-csp-admx-userexperiencevirtualization.md)
- [Reader](policy-csp-admx-userexperiencevirtualization.md)
- [Sports](policy-csp-admx-userexperiencevirtualization.md)
- [Travel](policy-csp-admx-userexperiencevirtualization.md)
- [Video](policy-csp-admx-userexperiencevirtualization.md)
- [Weather](policy-csp-admx-userexperiencevirtualization.md)
## ADMX_UserProfiles ## ADMX_UserProfiles
@ -2089,35 +1951,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) - [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md) - [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md)
- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md) - [EnableSmartScreen](policy-csp-admx-windowsexplorer.md)
- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md)
- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md) - [NoNewAppAlert](policy-csp-admx-windowsexplorer.md)
- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md)
- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md) - [ShowHibernateOption](policy-csp-admx-windowsexplorer.md)
- [ShowSleepOption](policy-csp-admx-windowsexplorer.md) - [ShowSleepOption](policy-csp-admx-windowsexplorer.md)
- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md)
- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md)
- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md) - [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md)
- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md) - [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
## ADMX_WindowsMediaDRM ## ADMX_WindowsMediaDRM
@ -2174,7 +2012,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md) - [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md)
- [SoftwareSASGeneration](policy-csp-admx-winlogon.md) - [SoftwareSASGeneration](policy-csp-admx-winlogon.md)
- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md) - [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md)
- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md)
## ADMX_Winsrv ## ADMX_Winsrv
@ -2204,7 +2041,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoQuietHours](policy-csp-admx-wpn.md) - [NoQuietHours](policy-csp-admx-wpn.md)
- [NoToastNotification](policy-csp-admx-wpn.md) - [NoToastNotification](policy-csp-admx-wpn.md)
- [NoLockScreenToastNotification](policy-csp-admx-wpn.md) - [NoLockScreenToastNotification](policy-csp-admx-wpn.md)
- [NoToastNotification](policy-csp-admx-wpn.md)
## AppRuntime ## AppRuntime
@ -2249,9 +2085,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## Autoplay ## Autoplay
- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
- [TurnOffAutoPlay](policy-csp-autoplay.md)
- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) - [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) - [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
- [TurnOffAutoPlay](policy-csp-autoplay.md) - [TurnOffAutoPlay](policy-csp-autoplay.md)
@ -2279,7 +2112,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## CredentialsUI ## CredentialsUI
- [DisablePasswordReveal](policy-csp-credentialsui.md)
- [DisablePasswordReveal](policy-csp-credentialsui.md) - [DisablePasswordReveal](policy-csp-credentialsui.md)
- [EnumerateAdministrators](policy-csp-credentialsui.md) - [EnumerateAdministrators](policy-csp-credentialsui.md)
@ -2608,264 +2440,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) - [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) - [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [DisableHTMLApplication](policy-csp-internetexplorer.md) - [DisableHTMLApplication](policy-csp-internetexplorer.md)
- [AddSearchProvider](policy-csp-internetexplorer.md)
- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md)
- [DisableUpdateCheck](policy-csp-internetexplorer.md) - [DisableUpdateCheck](policy-csp-internetexplorer.md)
- [DisableProxyChange](policy-csp-internetexplorer.md)
- [DisableSearchProviderChange](policy-csp-internetexplorer.md)
- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md)
- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md)
- [AllowSuggestedSites](policy-csp-internetexplorer.md)
- [DisableCompatView](policy-csp-internetexplorer.md)
- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md)
- [DisableFirstRunWizard](policy-csp-internetexplorer.md)
- [DisableFlipAheadFeature](policy-csp-internetexplorer.md)
- [DisableGeolocation](policy-csp-internetexplorer.md)
- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md)
- [NewTabDefaultPage](policy-csp-internetexplorer.md)
- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md)
- [SearchProviderList](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md) - [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md) - [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md)
- [AllowActiveXFiltering](policy-csp-internetexplorer.md)
- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md)
- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md)
- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md)
- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md)
- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md)
- [DisableInternetExplorerApp](policy-csp-internetexplorer.md)
- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md)
- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md)
- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md)
- [JScriptReplacement](policy-csp-internetexplorer.md)
- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md)
- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md)
- [DisableEncryptionSupport](policy-csp-internetexplorer.md)
- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md)
- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md)
- [IncludeAllLocalSites](policy-csp-internetexplorer.md)
- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md)
- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md)
- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [AllowAddOnList](policy-csp-internetexplorer.md)
- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md)
- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md)
- [DisableEnclosureDownloading](policy-csp-internetexplorer.md)
- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md)
- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md)
- [AllowOneWordEntry](policy-csp-internetexplorer.md)
- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md)
- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md)
- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
- [AllowFallbackToSSL3](policy-csp-internetexplorer.md) - [AllowFallbackToSSL3](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md)
- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md)
- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md)
- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md)
- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md)
- [DisableConfiguringHistory](policy-csp-internetexplorer.md)
- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md)
- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md)
- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md) - [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md)
- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md)
- [DisableCrashDetection](policy-csp-internetexplorer.md)
- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md)
- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md)
- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md)
- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md)
- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md)
- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md)
- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [DisableHTMLApplication](policy-csp-internetexplorer.md)
## Kerberos ## Kerberos
@ -3024,7 +2603,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## WindowsPowerShell ## WindowsPowerShell
- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) - [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
## Related articles ## Related articles

75
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 06/02/2023 ms.date: 08/07/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -40,8 +40,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md) - [AllowDeveloperUnlock](policy-csp-applicationmanagement.md)
- [AllowGameDVR](policy-csp-applicationmanagement.md) - [AllowGameDVR](policy-csp-applicationmanagement.md)
- [AllowSharedUserAppData](policy-csp-applicationmanagement.md) - [AllowSharedUserAppData](policy-csp-applicationmanagement.md)
- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md)
- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md)
- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md) - [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md)
- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md) - [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md)
- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md) - [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md)
@ -125,59 +123,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Browser ## Browser
- [AllowAddressBarDropdown](policy-csp-browser.md)
- [AllowAutofill](policy-csp-browser.md)
- [AllowCookies](policy-csp-browser.md)
- [AllowDeveloperTools](policy-csp-browser.md)
- [AllowDoNotTrack](policy-csp-browser.md)
- [AllowExtensions](policy-csp-browser.md)
- [AllowFlash](policy-csp-browser.md)
- [AllowFlashClickToRun](policy-csp-browser.md)
- [AllowFullScreenMode](policy-csp-browser.md)
- [AllowInPrivate](policy-csp-browser.md)
- [AllowMicrosoftCompatibilityList](policy-csp-browser.md)
- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md)
- [AllowPasswordManager](policy-csp-browser.md)
- [AllowPopups](policy-csp-browser.md)
- [AllowPrinting](policy-csp-browser.md)
- [AllowSavingHistory](policy-csp-browser.md)
- [AllowSearchEngineCustomization](policy-csp-browser.md)
- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md)
- [AllowSideloadingOfExtensions](policy-csp-browser.md)
- [AllowSmartScreen](policy-csp-browser.md)
- [AllowWebContentOnNewTabPage](policy-csp-browser.md)
- [AlwaysEnableBooksLibrary](policy-csp-browser.md)
- [ClearBrowsingDataOnExit](policy-csp-browser.md)
- [ConfigureAdditionalSearchEngines](policy-csp-browser.md)
- [ConfigureFavoritesBar](policy-csp-browser.md)
- [ConfigureHomeButton](policy-csp-browser.md)
- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md)
- [DisableLockdownOfStartPages](policy-csp-browser.md)
- [EnableExtendedBooksTelemetry](policy-csp-browser.md)
- [AllowTabPreloading](policy-csp-browser.md)
- [AllowPrelaunch](policy-csp-browser.md)
- [EnterpriseModeSiteList](policy-csp-browser.md)
- [PreventTurningOffRequiredExtensions](policy-csp-browser.md)
- [HomePages](policy-csp-browser.md)
- [LockdownFavorites](policy-csp-browser.md)
- [ConfigureKioskMode](policy-csp-browser.md)
- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md)
- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md)
- [PreventFirstRunPage](policy-csp-browser.md)
- [PreventCertErrorOverrides](policy-csp-browser.md)
- [PreventSmartScreenPromptOverride](policy-csp-browser.md)
- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md)
- [PreventLiveTileDataCollection](policy-csp-browser.md)
- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md)
- [ProvisionFavorites](policy-csp-browser.md)
- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md)
- [SetDefaultSearchEngine](policy-csp-browser.md)
- [SetHomeButtonURL](policy-csp-browser.md)
- [SetNewTabPageURL](policy-csp-browser.md)
- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md)
- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md)
- [UnlockHomeButton](policy-csp-browser.md)
- [UseSharedFolderForBooks](policy-csp-browser.md)
- [AllowAddressBarDropdown](policy-csp-browser.md) - [AllowAddressBarDropdown](policy-csp-browser.md)
- [AllowAutofill](policy-csp-browser.md) - [AllowAutofill](policy-csp-browser.md)
- [AllowCookies](policy-csp-browser.md) - [AllowCookies](policy-csp-browser.md)
@ -252,6 +197,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Cryptography ## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md) - [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md)
- [TLSCipherSuites](policy-csp-cryptography.md)
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md)
## Defender ## Defender
@ -347,7 +294,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [EnablePerProcessDpi](policy-csp-display.md) - [EnablePerProcessDpi](policy-csp-display.md)
- [TurnOnGdiDPIScalingForApps](policy-csp-display.md) - [TurnOnGdiDPIScalingForApps](policy-csp-display.md)
- [TurnOffGdiDPIScalingForApps](policy-csp-display.md) - [TurnOffGdiDPIScalingForApps](policy-csp-display.md)
- [EnablePerProcessDpi](policy-csp-display.md)
- [EnablePerProcessDpiForApps](policy-csp-display.md) - [EnablePerProcessDpiForApps](policy-csp-display.md)
- [DisablePerProcessDpiForApps](policy-csp-display.md) - [DisablePerProcessDpiForApps](policy-csp-display.md)
@ -630,7 +576,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [PublishUserActivities](policy-csp-privacy.md) - [PublishUserActivities](policy-csp-privacy.md)
- [UploadUserActivities](policy-csp-privacy.md) - [UploadUserActivities](policy-csp-privacy.md)
- [AllowCrossDeviceClipboard](policy-csp-privacy.md) - [AllowCrossDeviceClipboard](policy-csp-privacy.md)
- [DisablePrivacyExperience](policy-csp-privacy.md)
- [LetAppsActivateWithVoice](policy-csp-privacy.md) - [LetAppsActivateWithVoice](policy-csp-privacy.md)
- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md) - [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md)
@ -664,7 +609,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureTaskbarCalendar](policy-csp-settings.md) - [ConfigureTaskbarCalendar](policy-csp-settings.md)
- [PageVisibilityList](policy-csp-settings.md) - [PageVisibilityList](policy-csp-settings.md)
- [PageVisibilityList](policy-csp-settings.md)
- [AllowOnlineTips](policy-csp-settings.md) - [AllowOnlineTips](policy-csp-settings.md)
## SmartScreen ## SmartScreen
@ -691,18 +635,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md)
- [DisableControlCenter](policy-csp-start.md) - [DisableControlCenter](policy-csp-start.md)
- [ForceStartSize](policy-csp-start.md)
- [DisableContextMenus](policy-csp-start.md)
- [ShowOrHideMostUsedApps](policy-csp-start.md)
- [HideFrequentlyUsedApps](policy-csp-start.md)
- [HideRecentlyAddedApps](policy-csp-start.md)
- [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md)
- [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [SimplifyQuickSettings](policy-csp-start.md) - [SimplifyQuickSettings](policy-csp-start.md)
- [DisableEditingQuickSettings](policy-csp-start.md) - [DisableEditingQuickSettings](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
## Storage ## Storage
@ -721,7 +655,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowBuildPreview](policy-csp-system.md) - [AllowBuildPreview](policy-csp-system.md)
- [AllowFontProviders](policy-csp-system.md) - [AllowFontProviders](policy-csp-system.md)
- [AllowLocation](policy-csp-system.md) - [AllowLocation](policy-csp-system.md)
- [AllowTelemetry](policy-csp-system.md)
- [TelemetryProxy](policy-csp-system.md) - [TelemetryProxy](policy-csp-system.md)
- [DisableOneDriveFileSync](policy-csp-system.md) - [DisableOneDriveFileSync](policy-csp-system.md)
- [AllowWUfBCloudProcessing](policy-csp-system.md) - [AllowWUfBCloudProcessing](policy-csp-system.md)
@ -767,7 +700,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) - [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md) - [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md)
- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md) - [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md)
- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
## Troubleshooting ## Troubleshooting
@ -842,6 +774,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md) - [ConfigureDeadlineNoAutoReboot](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md) - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md) - [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md)
- [AllowOptionalContent](policy-csp-update.md)
## UserRights ## UserRights

9
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/01/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -73,6 +73,12 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
## Cryptography ## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy) - [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
- [TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites) - [TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
## Defender ## Defender
@ -313,6 +319,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md#allowautowindowsupdatedownloadovermeterednetwork) - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md#allowautowindowsupdatedownloadovermeterednetwork)
- [AllowMUUpdateService](policy-csp-update.md#allowmuupdateservice) - [AllowMUUpdateService](policy-csp-update.md#allowmuupdateservice)
- [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate) - [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](policy-csp-update.md#allowoptionalcontent)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol) - [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice) - [AllowUpdateService](policy-csp-update.md#allowupdateservice)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel) - [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)

2
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/07/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage

4
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the AboveLock Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -29,7 +29,7 @@ ms.topic: reference
<!-- AllowActionCenterNotifications-Applicability-Begin --> <!-- AllowActionCenterNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowActionCenterNotifications-Applicability-End --> <!-- AllowActionCenterNotifications-Applicability-End -->
<!-- AllowActionCenterNotifications-OmaUri-Begin --> <!-- AllowActionCenterNotifications-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -435,7 +435,7 @@ Manages a Windows app's ability to share data between users who have installed t
<!-- AllowStore-Applicability-Begin --> <!-- AllowStore-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> Education <br> ❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> Education <br> ❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowStore-Applicability-End --> <!-- AllowStore-Applicability-End -->
<!-- AllowStore-OmaUri-Begin --> <!-- AllowStore-OmaUri-Begin -->
@ -487,7 +487,7 @@ This policy is deprecated.
<!-- ApplicationRestrictions-Applicability-Begin --> <!-- ApplicationRestrictions-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- ApplicationRestrictions-Applicability-End --> <!-- ApplicationRestrictions-Applicability-End -->
<!-- ApplicationRestrictions-OmaUri-Begin --> <!-- ApplicationRestrictions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-browser.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -185,7 +185,7 @@ To verify AllowAutofill is set to 0 (not allowed):
<!-- AllowBrowser-Applicability-Begin --> <!-- AllowBrowser-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowBrowser-Applicability-End --> <!-- AllowBrowser-Applicability-End -->
<!-- AllowBrowser-OmaUri-Begin --> <!-- AllowBrowser-OmaUri-Begin -->
@ -2720,7 +2720,7 @@ Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseM
<!-- FirstRunURL-Applicability-Begin --> <!-- FirstRunURL-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- FirstRunURL-Applicability-End --> <!-- FirstRunURL-Applicability-End -->
<!-- FirstRunURL-OmaUri-Begin --> <!-- FirstRunURL-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 06/02/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -259,7 +259,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i
<!-- AllowNFC-Applicability-Begin --> <!-- AllowNFC-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowNFC-Applicability-End --> <!-- AllowNFC-Applicability-End -->
<!-- AllowNFC-OmaUri-Begin --> <!-- AllowNFC-OmaUri-Begin -->
@ -382,7 +382,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
<!-- AllowUSBConnection-Applicability-Begin --> <!-- AllowUSBConnection-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowUSBConnection-Applicability-End --> <!-- AllowUSBConnection-Applicability-End -->
<!-- AllowUSBConnection-OmaUri-Begin --> <!-- AllowUSBConnection-OmaUri-Begin -->

304
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Cryptography Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Cryptography-Begin --> <!-- Cryptography-Begin -->
# Policy CSP - Cryptography # Policy CSP - Cryptography
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Cryptography-Editable-Begin --> <!-- Cryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Cryptography-Editable-End --> <!-- Cryptography-Editable-End -->
@ -78,6 +80,283 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- AllowFipsAlgorithmPolicy-End --> <!-- AllowFipsAlgorithmPolicy-End -->
<!-- ConfigureEllipticCurveCryptography-Begin -->
## ConfigureEllipticCurveCryptography
<!-- ConfigureEllipticCurveCryptography-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- ConfigureEllipticCurveCryptography-Applicability-End -->
<!-- ConfigureEllipticCurveCryptography-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureEllipticCurveCryptography
```
<!-- ConfigureEllipticCurveCryptography-OmaUri-End -->
<!-- ConfigureEllipticCurveCryptography-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
- If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line)
- If you disable or don't configure this policy setting, the default ECC curve order is used.
Default Curve Order
curve25519
NistP256
NistP384
To See all the curves supported on the system, Use the following command:
CertUtil.exe -DisplayEccCurve.
<!-- ConfigureEllipticCurveCryptography-Description-End -->
<!-- ConfigureEllipticCurveCryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureEllipticCurveCryptography-Editable-End -->
<!-- ConfigureEllipticCurveCryptography-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- ConfigureEllipticCurveCryptography-DFProperties-End -->
<!-- ConfigureEllipticCurveCryptography-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SSLCurveOrder |
| Friendly Name | ECC Curve Order |
| Location | Computer Configuration |
| Path | Network > SSL Configuration Settings |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
| ADMX File Name | CipherSuiteOrder.admx |
<!-- ConfigureEllipticCurveCryptography-GpMapping-End -->
<!-- ConfigureEllipticCurveCryptography-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureEllipticCurveCryptography-Examples-End -->
<!-- ConfigureEllipticCurveCryptography-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Begin -->
## ConfigureSystemCryptographyForceStrongKeyProtection
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureSystemCryptographyForceStrongKeyProtection
```
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Description-Begin -->
<!-- Description-Source-DDF -->
System cryptography: Force strong key protection for user keys stored on the computer. Last write wins.
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Description-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Editable-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-DFProperties-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-AllowedValues-Begin -->
**Allowed values**:
| Flag | Description |
|:--|:--|
| 8 | An app container has accessed a medium key that isn't strongly protected. For example, a key that's for user consent only, or is password or fingerprint protected. |
| 2 (Default) | Force high protection. |
| 1 | Display the strong key user interface as needed. |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-AllowedValues-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Examples-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Begin -->
## OverrideMinimumEnabledDTLSVersionClient
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionClient
```
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionClient-Description-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Editable-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Examples-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Begin -->
## OverrideMinimumEnabledDTLSVersionServer
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionServer
```
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionServer-Description-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Editable-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Examples-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Begin -->
## OverrideMinimumEnabledTLSVersionClient
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionClient
```
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionClient-Description-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionClient-Editable-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionClient-Examples-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Begin -->
## OverrideMinimumEnabledTLSVersionServer
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionServer
```
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionServer-Description-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionServer-Editable-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionServer-Examples-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-End -->
<!-- TLSCipherSuites-Begin --> <!-- TLSCipherSuites-Begin -->
## TLSCipherSuites ## TLSCipherSuites
@ -94,8 +373,14 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- TLSCipherSuites-OmaUri-End --> <!-- TLSCipherSuites-OmaUri-End -->
<!-- TLSCipherSuites-Description-Begin --> <!-- TLSCipherSuites-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
- If you enable this policy setting, SSL cipher suites are prioritized in the order specified.
- If you disable or don't configure this policy setting, default cipher suite order is used.
Link for all the cipherSuites: <https://go.microsoft.com/fwlink/?LinkId=517265>
<!-- TLSCipherSuites-Description-End --> <!-- TLSCipherSuites-Description-End -->
<!-- TLSCipherSuites-Editable-Begin --> <!-- TLSCipherSuites-Editable-Begin -->
@ -112,6 +397,19 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
| Allowed Values | List (Delimiter: `;`) | | Allowed Values | List (Delimiter: `;`) |
<!-- TLSCipherSuites-DFProperties-End --> <!-- TLSCipherSuites-DFProperties-End -->
<!-- TLSCipherSuites-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SSLCipherSuiteOrder |
| Friendly Name | SSL Cipher Suite Order |
| Location | Computer Configuration |
| Path | Network > SSL Configuration Settings |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
| ADMX File Name | CipherSuiteOrder.admx |
<!-- TLSCipherSuites-GpMapping-End -->
<!-- TLSCipherSuites-Examples-Begin --> <!-- TLSCipherSuites-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TLSCipherSuites-Examples-End --> <!-- TLSCipherSuites-Examples-End -->

5
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 06/02/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -444,6 +444,9 @@ This policy setting allows you to manage whether or not to scan for malicious so
<!-- AllowIntrusionPreventionSystem-Begin --> <!-- AllowIntrusionPreventionSystem-Begin -->
## AllowIntrusionPreventionSystem ## AllowIntrusionPreventionSystem
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- AllowIntrusionPreventionSystem-Applicability-Begin --> <!-- AllowIntrusionPreventionSystem-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|

6
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -121,7 +121,7 @@ Allow Administrator account lockout This security setting determines whether the
<!-- AllowIdleReturnWithoutPassword-Applicability-Begin --> <!-- AllowIdleReturnWithoutPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowIdleReturnWithoutPassword-Applicability-End --> <!-- AllowIdleReturnWithoutPassword-Applicability-End -->
<!-- AllowIdleReturnWithoutPassword-OmaUri-Begin --> <!-- AllowIdleReturnWithoutPassword-OmaUri-Begin -->
@ -789,7 +789,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-Begin --> <!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-End --> <!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-End -->
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-OmaUri-Begin --> <!-- MaxInactivityTimeDeviceLockWithExternalDisplay-OmaUri-Begin -->

2
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -46,6 +46,8 @@ This policy is intended to provide more security against external DMA capable de
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy requires a system reboot to take effect.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
<!-- DeviceEnumerationPolicy-Editable-End --> <!-- DeviceEnumerationPolicy-Editable-End -->

8
windows/client-management/mdm/policy-csp-experience.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 07/06/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -107,7 +107,7 @@ Policy change takes effect immediately.
<!-- AllowCopyPaste-Applicability-Begin --> <!-- AllowCopyPaste-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowCopyPaste-Applicability-End --> <!-- AllowCopyPaste-Applicability-End -->
<!-- AllowCopyPaste-OmaUri-Begin --> <!-- AllowCopyPaste-OmaUri-Begin -->
@ -840,7 +840,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide
<!-- AllowTaskSwitcher-Applicability-Begin --> <!-- AllowTaskSwitcher-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowTaskSwitcher-Applicability-End --> <!-- AllowTaskSwitcher-Applicability-End -->
<!-- AllowTaskSwitcher-OmaUri-Begin --> <!-- AllowTaskSwitcher-OmaUri-Begin -->
@ -956,7 +956,7 @@ Specifies whether to allow app and content suggestions from third-party software
<!-- AllowVoiceRecording-Applicability-Begin --> <!-- AllowVoiceRecording-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowVoiceRecording-Applicability-End --> <!-- AllowVoiceRecording-Applicability-End -->
<!-- AllowVoiceRecording-OmaUri-Begin --> <!-- AllowVoiceRecording-OmaUri-Begin -->

298
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MixedReality-Editable-Begin --> <!-- MixedReality-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices. These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices.
@ -538,6 +540,153 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
<!-- DisallowNetworkConnectivityPassivePolling-End --> <!-- DisallowNetworkConnectivityPassivePolling-End -->
<!-- EnableStartMenuSingleHandGesture-Begin -->
## EnableStartMenuSingleHandGesture
<!-- EnableStartMenuSingleHandGesture-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuSingleHandGesture-Applicability-End -->
<!-- EnableStartMenuSingleHandGesture-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuSingleHandGesture
```
<!-- EnableStartMenuSingleHandGesture-OmaUri-End -->
<!-- EnableStartMenuSingleHandGesture-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu is enabled or not.
<!-- EnableStartMenuSingleHandGesture-Description-End -->
<!-- EnableStartMenuSingleHandGesture-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuSingleHandGesture-Editable-End -->
<!-- EnableStartMenuSingleHandGesture-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuSingleHandGesture-DFProperties-End -->
<!-- EnableStartMenuSingleHandGesture-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Don't allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
| 1 (Default) | Allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
<!-- EnableStartMenuSingleHandGesture-AllowedValues-End -->
<!-- EnableStartMenuSingleHandGesture-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuSingleHandGesture-Examples-End -->
<!-- EnableStartMenuSingleHandGesture-End -->
<!-- EnableStartMenuVoiceCommand-Begin -->
## EnableStartMenuVoiceCommand
<!-- EnableStartMenuVoiceCommand-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuVoiceCommand-Applicability-End -->
<!-- EnableStartMenuVoiceCommand-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuVoiceCommand
```
<!-- EnableStartMenuVoiceCommand-OmaUri-End -->
<!-- EnableStartMenuVoiceCommand-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if using voice commands to open the Start menu is enabled or not.
<!-- EnableStartMenuVoiceCommand-Description-End -->
<!-- EnableStartMenuVoiceCommand-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuVoiceCommand-Editable-End -->
<!-- EnableStartMenuVoiceCommand-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuVoiceCommand-DFProperties-End -->
<!-- EnableStartMenuVoiceCommand-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Using voice commands to open the Start menu is disabled. |
| 1 (Default) | Using voice commands to open the Start menu is enabled. |
<!-- EnableStartMenuVoiceCommand-AllowedValues-End -->
<!-- EnableStartMenuVoiceCommand-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuVoiceCommand-Examples-End -->
<!-- EnableStartMenuVoiceCommand-End -->
<!-- EnableStartMenuWristTap-Begin -->
## EnableStartMenuWristTap
<!-- EnableStartMenuWristTap-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuWristTap-Applicability-End -->
<!-- EnableStartMenuWristTap-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuWristTap
```
<!-- EnableStartMenuWristTap-OmaUri-End -->
<!-- EnableStartMenuWristTap-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if tapping the Star icon on your wrist to open the Start menu is enabled or not.
<!-- EnableStartMenuWristTap-Description-End -->
<!-- EnableStartMenuWristTap-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuWristTap-Editable-End -->
<!-- EnableStartMenuWristTap-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuWristTap-DFProperties-End -->
<!-- EnableStartMenuWristTap-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Don't allow tapping the Start icon on your wrist to open the Start menu. |
| 1 (Default) | Allow tapping the Start icon on your wrist to open the Start menu. |
<!-- EnableStartMenuWristTap-AllowedValues-End -->
<!-- EnableStartMenuWristTap-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuWristTap-Examples-End -->
<!-- EnableStartMenuWristTap-End -->
<!-- EyeTrackingCalibrationPrompt-Begin --> <!-- EyeTrackingCalibrationPrompt-Begin -->
## EyeTrackingCalibrationPrompt ## EyeTrackingCalibrationPrompt
@ -852,6 +1001,153 @@ The following example XML string shows the value to enable this policy:
<!-- NtpClientEnabled-End --> <!-- NtpClientEnabled-End -->
<!-- PreferLogonAsOtherUser-Begin -->
## PreferLogonAsOtherUser
<!-- PreferLogonAsOtherUser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- PreferLogonAsOtherUser-Applicability-End -->
<!-- PreferLogonAsOtherUser-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/PreferLogonAsOtherUser
```
<!-- PreferLogonAsOtherUser-OmaUri-End -->
<!-- PreferLogonAsOtherUser-Description-Begin -->
<!-- Description-Source-DDF -->
This policy configures whether the Sign-In App should prefer showing Other User panel to user.
<!-- PreferLogonAsOtherUser-Description-End -->
<!-- PreferLogonAsOtherUser-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- PreferLogonAsOtherUser-Editable-End -->
<!-- PreferLogonAsOtherUser-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- PreferLogonAsOtherUser-DFProperties-End -->
<!-- PreferLogonAsOtherUser-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- PreferLogonAsOtherUser-AllowedValues-End -->
<!-- PreferLogonAsOtherUser-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- PreferLogonAsOtherUser-Examples-End -->
<!-- PreferLogonAsOtherUser-End -->
<!-- RequireStartIconHold-Begin -->
## RequireStartIconHold
<!-- RequireStartIconHold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- RequireStartIconHold-Applicability-End -->
<!-- RequireStartIconHold-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconHold
```
<!-- RequireStartIconHold-OmaUri-End -->
<!-- RequireStartIconHold-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if it's require that the Start icon to be pressed for 2 seconds to open the Start menu.
<!-- RequireStartIconHold-Description-End -->
<!-- RequireStartIconHold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireStartIconHold-Editable-End -->
<!-- RequireStartIconHold-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireStartIconHold-DFProperties-End -->
<!-- RequireStartIconHold-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Don't require the Start icon to be pressed for 2 seconds. |
| 1 | Require the Start icon to be pressed for 2 seconds. |
<!-- RequireStartIconHold-AllowedValues-End -->
<!-- RequireStartIconHold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireStartIconHold-Examples-End -->
<!-- RequireStartIconHold-End -->
<!-- RequireStartIconVisible-Begin -->
## RequireStartIconVisible
<!-- RequireStartIconVisible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- RequireStartIconVisible-Applicability-End -->
<!-- RequireStartIconVisible-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconVisible
```
<!-- RequireStartIconVisible-OmaUri-End -->
<!-- RequireStartIconVisible-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if it's required that the Start icon to be looked at when you tap it to open the Start menu.
<!-- RequireStartIconVisible-Description-End -->
<!-- RequireStartIconVisible-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireStartIconVisible-Editable-End -->
<!-- RequireStartIconVisible-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireStartIconVisible-DFProperties-End -->
<!-- RequireStartIconVisible-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Don't require the Start icon to be looked at when you tap it. |
| 1 | Require the Start icon to be looked at when you tap it. |
<!-- RequireStartIconVisible-AllowedValues-End -->
<!-- RequireStartIconVisible-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireStartIconVisible-Examples-End -->
<!-- RequireStartIconVisible-End -->
<!-- SkipCalibrationDuringSetup-Begin --> <!-- SkipCalibrationDuringSetup-Begin -->
## SkipCalibrationDuringSetup ## SkipCalibrationDuringSetup

4
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -4,7 +4,7 @@ description: Learn more about the NetworkListManager Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -37,7 +37,7 @@ ms.topic: reference
<!-- AllowedTlsAuthenticationEndpoints-Description-Begin --> <!-- AllowedTlsAuthenticationEndpoints-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. List of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
<!-- AllowedTlsAuthenticationEndpoints-Description-End --> <!-- AllowedTlsAuthenticationEndpoints-Description-End -->
<!-- AllowedTlsAuthenticationEndpoints-Editable-Begin --> <!-- AllowedTlsAuthenticationEndpoints-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Privacy-Begin --> <!-- Privacy-Begin -->
# Policy CSP - Privacy # Policy CSP - Privacy
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Privacy-Editable-Begin --> <!-- Privacy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Privacy-Editable-End --> <!-- Privacy-Editable-End -->
@ -2934,7 +2936,7 @@ If an app is open when this Group Policy object is applied on a device, employee
<!-- LetAppsAccessHumanPresence-Applicability-Begin --> <!-- LetAppsAccessHumanPresence-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence-Applicability-End --> <!-- LetAppsAccessHumanPresence-Applicability-End -->
<!-- LetAppsAccessHumanPresence-OmaUri-Begin --> <!-- LetAppsAccessHumanPresence-OmaUri-Begin -->
@ -2994,7 +2996,7 @@ This policy setting specifies whether Windows apps can access the human presence
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-Begin --> <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-End --> <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-OmaUri-Begin --> <!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-OmaUri-Begin -->
@ -3044,7 +3046,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-Begin --> <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-End --> <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-OmaUri-Begin --> <!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-OmaUri-Begin -->
@ -3094,7 +3096,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-Begin --> <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-End --> <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-OmaUri-Begin --> <!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-search.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1123,7 +1123,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!-- SafeSearchPermissions-Applicability-Begin --> <!-- SafeSearchPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- SafeSearchPermissions-Applicability-End --> <!-- SafeSearchPermissions-Applicability-End -->
<!-- SafeSearchPermissions-OmaUri-Begin --> <!-- SafeSearchPermissions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-security.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Security Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -78,7 +78,7 @@ Specifies whether to allow the runtime configuration agent to install provisioni
<!-- AllowManualRootCertificateInstallation-Applicability-Begin --> <!-- AllowManualRootCertificateInstallation-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowManualRootCertificateInstallation-Applicability-End --> <!-- AllowManualRootCertificateInstallation-Applicability-End -->
<!-- AllowManualRootCertificateInstallation-OmaUri-Begin --> <!-- AllowManualRootCertificateInstallation-OmaUri-Begin -->
@ -179,7 +179,7 @@ Specifies whether to allow the runtime configuration agent to remove provisionin
<!-- AntiTheftMode-Applicability-Begin --> <!-- AntiTheftMode-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AntiTheftMode-Applicability-End --> <!-- AntiTheftMode-Applicability-End -->
<!-- AntiTheftMode-OmaUri-Begin --> <!-- AntiTheftMode-OmaUri-Begin -->

2
windows/client-management/mdm/policy-csp-start.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/07/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage

4
windows/client-management/mdm/policy-csp-timelanguagesettings.md
View File

@ -4,7 +4,7 @@ description: Learn more about the TimeLanguageSettings Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -29,7 +29,7 @@ ms.topic: reference
<!-- AllowSet24HourClock-Applicability-Begin --> <!-- AllowSet24HourClock-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
<!-- AllowSet24HourClock-Applicability-End --> <!-- AllowSet24HourClock-Applicability-End -->
<!-- AllowSet24HourClock-OmaUri-Begin --> <!-- AllowSet24HourClock-OmaUri-Begin -->

396
windows/client-management/mdm/policy-csp-update.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/11/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -25,6 +25,7 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area: Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview) - [Windows Insider Preview](#windows-insider-preview)
- [AllowOptionalContent](#allowoptionalcontent)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates) - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@ -106,6 +107,65 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview ## Windows Insider Preview
<!-- AllowOptionalContent-Begin -->
### AllowOptionalContent
<!-- AllowOptionalContent-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- AllowOptionalContent-Applicability-End -->
<!-- AllowOptionalContent-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
```
<!-- AllowOptionalContent-OmaUri-End -->
<!-- AllowOptionalContent-Description-Begin -->
<!-- Description-Source-DDF -->
This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
<!-- AllowOptionalContent-Description-End -->
<!-- AllowOptionalContent-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowOptionalContent-Editable-End -->
<!-- AllowOptionalContent-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowOptionalContent-DFProperties-End -->
<!-- AllowOptionalContent-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Device doesn't receive optional updates. |
| 1 | Device receives optional updates and user can install from WU Settings page. |
| 2 | Device receives optional updates and install them as soon as they're available. |
<!-- AllowOptionalContent-AllowedValues-End -->
<!-- AllowOptionalContent-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
<!-- AllowOptionalContent-GpMapping-End -->
<!-- AllowOptionalContent-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowOptionalContent-Examples-End -->
<!-- AllowOptionalContent-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin --> <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates ### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@ -393,6 +453,7 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you
| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). | | 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). |
| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). | | 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). |
| 64 | {0x40} - Release Preview of Quality Updates Only. | | 64 | {0x40} - Release Preview of Quality Updates Only. |
| 128 | {0x80} - Canary Channel. |
<!-- BranchReadinessLevel-AllowedValues-End --> <!-- BranchReadinessLevel-AllowedValues-End -->
<!-- BranchReadinessLevel-GpMapping-Begin --> <!-- BranchReadinessLevel-GpMapping-Begin -->
@ -2079,41 +2140,8 @@ Note that the default max active hours range is 18 hours from the active hours s
<!-- AllowAutoUpdate-OmaUri-End --> <!-- AllowAutoUpdate-OmaUri-End -->
<!-- AllowAutoUpdate-Description-Begin --> <!-- AllowAutoUpdate-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Important. This option should be used only for systems under regulatory compliance, as you won't get security updates as well. If the policy isn't configured, end-users get the default behavior (Auto install and restart).
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- AllowAutoUpdate-Description-End --> <!-- AllowAutoUpdate-Description-End -->
<!-- AllowAutoUpdate-Editable-Begin --> <!-- AllowAutoUpdate-Editable-Begin -->
@ -2245,41 +2273,8 @@ This policy is accessible through the Update setting in the user interface or Gr
<!-- AllowMUUpdateService-OmaUri-End --> <!-- AllowMUUpdateService-OmaUri-End -->
<!-- AllowMUUpdateService-Description-Begin --> <!-- AllowMUUpdateService-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- AllowMUUpdateService-Description-End --> <!-- AllowMUUpdateService-Description-End -->
<!-- AllowMUUpdateService-Editable-Begin --> <!-- AllowMUUpdateService-Editable-Begin -->
@ -2824,41 +2819,8 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
<!-- ScheduledInstallDay-OmaUri-End --> <!-- ScheduledInstallDay-OmaUri-End -->
<!-- ScheduledInstallDay-Description-Begin --> <!-- ScheduledInstallDay-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Enables the IT admin to schedule the day of the update installation. The data type is a integer.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- ScheduledInstallDay-Description-End --> <!-- ScheduledInstallDay-Description-End -->
<!-- ScheduledInstallDay-Editable-Begin --> <!-- ScheduledInstallDay-Editable-Begin -->
@ -2928,41 +2890,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
<!-- ScheduledInstallEveryWeek-OmaUri-End --> <!-- ScheduledInstallEveryWeek-OmaUri-End -->
<!-- ScheduledInstallEveryWeek-Description-Begin --> <!-- ScheduledInstallEveryWeek-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Enables the IT admin to schedule the update installation on the every week. Value type is integer.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- ScheduledInstallEveryWeek-Description-End --> <!-- ScheduledInstallEveryWeek-Description-End -->
<!-- ScheduledInstallEveryWeek-Editable-Begin --> <!-- ScheduledInstallEveryWeek-Editable-Begin -->
@ -3026,41 +2955,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
<!-- ScheduledInstallFirstWeek-OmaUri-End --> <!-- ScheduledInstallFirstWeek-OmaUri-End -->
<!-- ScheduledInstallFirstWeek-Description-Begin --> <!-- ScheduledInstallFirstWeek-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- ScheduledInstallFirstWeek-Description-End --> <!-- ScheduledInstallFirstWeek-Description-End -->
<!-- ScheduledInstallFirstWeek-Editable-Begin --> <!-- ScheduledInstallFirstWeek-Editable-Begin -->
@ -3133,41 +3029,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallFourthWeek-OmaUri-End --> <!-- ScheduledInstallFourthWeek-OmaUri-End -->
<!-- ScheduledInstallFourthWeek-Description-Begin --> <!-- ScheduledInstallFourthWeek-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- ScheduledInstallFourthWeek-Description-End --> <!-- ScheduledInstallFourthWeek-Description-End -->
<!-- ScheduledInstallFourthWeek-Editable-Begin --> <!-- ScheduledInstallFourthWeek-Editable-Begin -->
@ -3240,41 +3103,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallSecondWeek-OmaUri-End --> <!-- ScheduledInstallSecondWeek-OmaUri-End -->
<!-- ScheduledInstallSecondWeek-Description-Begin --> <!-- ScheduledInstallSecondWeek-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- ScheduledInstallSecondWeek-Description-End --> <!-- ScheduledInstallSecondWeek-Description-End -->
<!-- ScheduledInstallSecondWeek-Editable-Begin --> <!-- ScheduledInstallSecondWeek-Editable-Begin -->
@ -3347,41 +3177,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallThirdWeek-OmaUri-End --> <!-- ScheduledInstallThirdWeek-OmaUri-End -->
<!-- ScheduledInstallThirdWeek-Description-Begin --> <!-- ScheduledInstallThirdWeek-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- ScheduledInstallThirdWeek-Description-End --> <!-- ScheduledInstallThirdWeek-Description-End -->
<!-- ScheduledInstallThirdWeek-Editable-Begin --> <!-- ScheduledInstallThirdWeek-Editable-Begin -->
@ -3454,41 +3251,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallTime-OmaUri-End --> <!-- ScheduledInstallTime-OmaUri-End -->
<!-- ScheduledInstallTime-Description-Begin --> <!-- ScheduledInstallTime-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-DDF -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- ScheduledInstallTime-Description-End --> <!-- ScheduledInstallTime-Description-End -->
<!-- ScheduledInstallTime-Editable-Begin --> <!-- ScheduledInstallTime-Editable-Begin -->

10
windows/client-management/mdm/vpnv2-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 07/06/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- Device-{ProfileName}-EdpModeId-Description-Begin --> <!-- Device-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- Device-{ProfileName}-EdpModeId-Description-End --> <!-- Device-{ProfileName}-EdpModeId-Description-End -->
<!-- Device-{ProfileName}-EdpModeId-Editable-Begin --> <!-- Device-{ProfileName}-EdpModeId-Editable-Begin -->
@ -3119,7 +3119,7 @@ Type of routing policy.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-Begin --> <!-- Device-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-End --> <!-- Device-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- Device-{ProfileName}-NativeProfile-Servers-Editable-Begin --> <!-- Device-{ProfileName}-NativeProfile-Servers-Editable-Begin -->
@ -6032,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- User-{ProfileName}-EdpModeId-Description-Begin --> <!-- User-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- User-{ProfileName}-EdpModeId-Description-End --> <!-- User-{ProfileName}-EdpModeId-Description-End -->
<!-- User-{ProfileName}-EdpModeId-Editable-Begin --> <!-- User-{ProfileName}-EdpModeId-Editable-Begin -->
@ -7359,7 +7359,7 @@ Type of routing policy.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-Begin --> <!-- User-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-End --> <!-- User-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- User-{ProfileName}-NativeProfile-Servers-Editable-Begin --> <!-- User-{ProfileName}-NativeProfile-Servers-Editable-Begin -->

28
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 05/10/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- WindowsLicensing-Begin --> <!-- WindowsLicensing-Begin -->
# WindowsLicensing CSP # WindowsLicensing CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsLicensing-Editable-Begin --> <!-- WindowsLicensing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The WindowsLicensing configuration service provider is designed for licensing related management scenarios. The WindowsLicensing configuration service provider is designed for licensing related management scenarios.
@ -161,7 +163,7 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi
<!-- Device-DeviceLicensingService-Applicability-Begin --> <!-- Device-DeviceLicensingService-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-Applicability-End --> <!-- Device-DeviceLicensingService-Applicability-End -->
<!-- Device-DeviceLicensingService-OmaUri-Begin --> <!-- Device-DeviceLicensingService-OmaUri-Begin -->
@ -200,7 +202,7 @@ Device Based Subscription.
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-Begin --> <!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-End --> <!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-OmaUri-Begin --> <!-- Device-DeviceLicensingService-DeviceLicensingLastError-OmaUri-Begin -->
@ -239,7 +241,7 @@ Returns the last error code of Refresh/Remove Device License operation. Value wo
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-Begin --> <!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-End --> <!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-OmaUri-Begin --> <!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-OmaUri-Begin -->
@ -278,7 +280,7 @@ Returns last error description from Device Licensing. Value would be empty, if e
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-Begin --> <!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-End --> <!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-OmaUri-Begin --> <!-- Device-DeviceLicensingService-DeviceLicensingStatus-OmaUri-Begin -->
@ -317,7 +319,7 @@ Returns the status of Refresh/Remove Device License operation.
<!-- Device-DeviceLicensingService-LicenseType-Applicability-Begin --> <!-- Device-DeviceLicensingService-LicenseType-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-LicenseType-Applicability-End --> <!-- Device-DeviceLicensingService-LicenseType-Applicability-End -->
<!-- Device-DeviceLicensingService-LicenseType-OmaUri-Begin --> <!-- Device-DeviceLicensingService-LicenseType-OmaUri-Begin -->
@ -795,7 +797,7 @@ This setting is only applicable to devices available in S mode.
<!-- Device-Status-Description-Begin --> <!-- Device-Status-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown. Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown.
<!-- Device-Status-Description-End --> <!-- Device-Status-Description-End -->
<!-- Device-Status-Editable-Begin --> <!-- Device-Status-Editable-Begin -->
@ -997,7 +999,7 @@ Returns the status of the subscription.
<!-- Device-Subscriptions-DisableSubscription-Applicability-Begin --> <!-- Device-Subscriptions-DisableSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-DisableSubscription-Applicability-End --> <!-- Device-Subscriptions-DisableSubscription-Applicability-End -->
<!-- Device-Subscriptions-DisableSubscription-OmaUri-Begin --> <!-- Device-Subscriptions-DisableSubscription-OmaUri-Begin -->
@ -1045,7 +1047,7 @@ Disable or Enable subscription activation on a device.
<!-- Device-Subscriptions-RemoveSubscription-Applicability-Begin --> <!-- Device-Subscriptions-RemoveSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-RemoveSubscription-Applicability-End --> <!-- Device-Subscriptions-RemoveSubscription-Applicability-End -->
<!-- Device-Subscriptions-RemoveSubscription-OmaUri-Begin --> <!-- Device-Subscriptions-RemoveSubscription-OmaUri-Begin -->
@ -1084,7 +1086,7 @@ Remove subscription uninstall subscription license. It also reset subscription t
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-Begin --> <!-- Device-Subscriptions-SubscriptionLastError-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-End --> <!-- Device-Subscriptions-SubscriptionLastError-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastError-OmaUri-Begin --> <!-- Device-Subscriptions-SubscriptionLastError-OmaUri-Begin -->
@ -1123,7 +1125,7 @@ Error code of last subscription operation. Value would be empty(0) in absence of
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-Begin --> <!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-End --> <!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-OmaUri-Begin --> <!-- Device-Subscriptions-SubscriptionLastErrorDescription-OmaUri-Begin -->
@ -1162,7 +1164,7 @@ Error description of last subscription operation. Value would be empty, if error
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-Begin --> <!-- Device-Subscriptions-SubscriptionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-End --> <!-- Device-Subscriptions-SubscriptionStatus-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionStatus-OmaUri-Begin --> <!-- Device-Subscriptions-SubscriptionStatus-OmaUri-Begin -->
@ -1201,7 +1203,7 @@ Status of last subscription operation.
<!-- Device-Subscriptions-SubscriptionType-Applicability-Begin --> <!-- Device-Subscriptions-SubscriptionType-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionType-Applicability-End --> <!-- Device-Subscriptions-SubscriptionType-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionType-OmaUri-Begin --> <!-- Device-Subscriptions-SubscriptionType-OmaUri-Begin -->

28
windows/client-management/mdm/windowslicensing-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 06/02/2023 ms.date: 08/02/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -342,6 +342,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0</MSFT:Value> <MSFT:Value>0</MSFT:Value>
@ -373,6 +377,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -394,6 +402,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -415,6 +427,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -436,6 +452,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0</MSFT:Value> <MSFT:Value>0</MSFT:Value>
@ -467,6 +487,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -600,7 +624,7 @@ The following XML file contains the device description framework (DDF) for the W
<DDFName /> <DDFName />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22621, 10.0.22000.1165</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion> <MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>

2
windows/deployment/update/wufb-reports-do.md
View File

@ -95,7 +95,7 @@ Each calculated values used in the Delivery Optimization report are listed below
In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
```powershell ```powershell
$text = "<myOriginalGroupID>" ; $text = "<myOriginalGroupID>`0" ; # The `0 null terminator is required
$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" $hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64"
``` ```

6
windows/deployment/windows-autopatch/TOC.yml
View File

@ -76,7 +76,7 @@
href: operate/windows-autopatch-edge.md href: operate/windows-autopatch-edge.md
- name: Microsoft Teams - name: Microsoft Teams
href: operate/windows-autopatch-teams.md href: operate/windows-autopatch-teams.md
- name: Windows quality and feature update reports - name: Windows quality and feature update reports overview
href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
items: items:
- name: Windows quality update reports - name: Windows quality update reports
@ -107,8 +107,8 @@
href: operate/windows-autopatch-manage-driver-and-firmware-updates.md href: operate/windows-autopatch-manage-driver-and-firmware-updates.md
- name: Submit a support request - name: Submit a support request
href: operate/windows-autopatch-support-request.md href: operate/windows-autopatch-support-request.md
- name: Deregister a device - name: Exclude a device
href: operate/windows-autopatch-deregister-devices.md href: operate/windows-autopatch-exclude-device.md
- name: Unenroll your tenant - name: Unenroll your tenant
href: operate/windows-autopatch-unenroll-tenant.md href: operate/windows-autopatch-unenroll-tenant.md
- name: References - name: References

51
windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
View File

@ -1,51 +0,0 @@
---
title: Deregister a device
description: This article explains how to deregister devices
ms.date: 06/15/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
ms.collection:
- tier2
---
# Deregister a device
To avoid end-user disruption, device deregistration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
**To deregister a device:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**.
> [!WARNING]
> Removing devices from the Windows Autopatch Device Registration Azure AD group doesn't deregister devices from the Windows Autopatch service.
## Excluded devices
When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to reregister the device into the service again, since the deregistration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group.
> [!IMPORTANT]
> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
If you want to reregister a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the deregistration process. After the Windows Autopatch Service Engineering Team removes the flag, you can reregister a device or a group of devices.
## Hiding unregistered devices
You can hide unregistered devices you don't expect to be remediated anytime soon.
**To hide unregistered devices:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
1. Unselect the **Registration failed** status checkbox from the list.

56
windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Exclude a device
description: This article explains how to exclude a device from the Windows Autopatch service
ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
ms.collection:
- tier2
---
# Exclude a device
To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups.
> [!IMPORTANT]
> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
**To exclude a device:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In either the **Ready** or **Not ready** tab, select the device(s) you want to exclude.
1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**.
> [!WARNING]
> Excluding devices from the Windows Autopatch Device Registration group, or any other Azure AD group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service.
## Only view excluded devices
You can view the excluded devices in the **Not registered** tab to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service.
**To view only excluded devices:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not registered** tab, select **Excluded** from the filter list. Leave all other filter options unselected.
## Restore a device or multiple devices previously excluded
**To restore a device or multiple devices previously excluded:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not registered** tab, select the device(s) you want to restore.
1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore device**.

9
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
View File

@ -21,9 +21,10 @@ ms.collection:
The Windows quality reports provide you with information about: The Windows quality reports provide you with information about:
Quality update device readiness - Quality update device readiness
Device update health - Device update health
Device update alerts - Device update alerts
Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
The Windows quality report types are organized into the following focus areas: The Windows quality report types are organized into the following focus areas:
@ -106,4 +107,4 @@ Within each 24-hour reporting period, devices that are Not Ready are reevaluated
## Data export ## Data export
Select**Export devices**to export data for each report type. Only selected columns will be exported. Select**Export devices**to export data for each report type. Only selected columns are exported.

16
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
View File

@ -1,7 +1,7 @@
--- ---
title: Unenroll your tenant title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take. description: This article explains what unenrollment means for your organization and what actions you must take.
ms.date: 07/27/2022 ms.date: 08/08/2023
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-updates ms.technology: itpro-updates
ms.topic: how-to ms.topic: how-to
@ -25,7 +25,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d
Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will: Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:
- Remove Windows Autopatch access to your tenant. - Remove Windows Autopatch access to your tenant.
- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). - Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md).
- Delete all data that we've stored in the Windows Autopatch data storage. - Delete all data that we've stored in the Windows Autopatch data storage.
> [!NOTE] > [!NOTE]
@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| Responsibility | Description | | Responsibility | Description |
| ----- | ----- | | ----- | ----- |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). | | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | | Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
## Your responsibilities after unenrolling your tenant ## Your responsibilities after unenrolling your tenant
@ -50,10 +50,10 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
**To unenroll from Windows Autopatch:** **To unenroll from Windows Autopatch:**
1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service. 1. [Submit a support request](../operate/windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service. 1. The Windows Autopatch Service Engineering Team communicates with your IT Administrator to confirm your intent to unenroll from the service.
1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team. 1. You have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner. 2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment). 1. The Windows Autopatch Service Engineering Team proceeds with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete. 1. The Windows Autopatch Service Engineering Team informs you when unenrollment is complete.
1. Youre responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant). 1. Youre responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).

4
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
--- ---
title: What is Windows Autopatch? title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles. description: Details what the service is and shortcuts to articles.
ms.date: 07/11/2023 ms.date: 08/08/2023
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-updates ms.technology: itpro-updates
ms.topic: conceptual ms.topic: conceptual
@ -64,7 +64,7 @@ Microsoft remains committed to the security of your data and the [accessibility]
| ----- | ----- | | ----- | ----- |
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li><li>[Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</ul> | | Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li><li>[Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</ul> |
| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li><li>[Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)</li></ul> | | Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li><li>[Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)</li></ul> |
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-groups-update-management.md)</li><li>[Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul> | Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-groups-update-management.md)</li><li>[Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Exclude a device](../operate/windows-autopatch-exclude-device.md)</li></ul>
| References | This section includes the following articles:<ul><li>[Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)<li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li></ul> | | References | This section includes the following articles:<ul><li>[Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)<li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li></ul> |
### Have feedback or would like to start a discussion? ### Have feedback or would like to start a discussion?

8
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -1,7 +1,7 @@
--- ---
title: Roles and responsibilities title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 07/31/2023 ms.date: 08/08/2023
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-updates ms.technology: itpro-updates
ms.topic: conceptual ms.topic: conceptual
@ -86,10 +86,10 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul> | :heavy_check_mark: | :x: | | Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul> | :heavy_check_mark: | :x: |
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li></ul> | Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li></ul>
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: | | [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: | | [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: | | [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: | | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | | [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: | | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: | | Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
| Highlight Windows Autopatch management alerts that require customer action<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :x: | :heavy_check_mark: | | Highlight Windows Autopatch management alerts that require customer action<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :x: | :heavy_check_mark: |

3
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
--- ---
title: What's new 2023 title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers. description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 08/01/2023 ms.date: 08/08/2023
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-updates ms.technology: itpro-updates
ms.topic: whats-new ms.topic: whats-new
@ -27,6 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description | | Article | Description |
| ----- | ----- | | ----- | ----- |
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature |
| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) | | [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
## July 2023 ## July 2023

36
windows/hub/breadcrumb/toc.yml
View File

@ -37,29 +37,31 @@ items:
tocHref: /windows/security/ tocHref: /windows/security/
topicHref: /windows/security/ topicHref: /windows/security/
items: items:
- name: Hardware security
tocHref: /windows/security/hardware-security/
topicHref: /windows/security/hardware-security/
- name: Operating system security
tocHref: /windows/security/operating-system-security/
topicHref: /windows/security/operating-system-security/
- name: Identity protection - name: Identity protection
tocHref: /windows/security/identity-protection/ tocHref: /windows/security/identity-protection/
topicHref: /windows/security/identity-protection/ topicHref: /windows/security/identity-protection/
- name: Application security
tocHref: /windows/security/application-security/
topicHref: /windows/security/application-security/
items: items:
- name: Windows Hello for Business - name: Application Control for Windows
tocHref: /windows/security/identity-protection/hello-for-business/ tocHref: /windows/security/application-security/application-control/windows-defender-application-control/
topicHref: /windows/security/identity-protection/hello-for-business topicHref: /windows/security/application-security/application-control/windows-defender-application-control/
- name: Microsoft Defender Application Guard
tocHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/
topicHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
- name: Security foundations
tocHref: /windows/security/security-foundations/
topicHref: /windows/security/security-foundations/
- name: Security auditing - name: Security auditing
tocHref: /windows/security/threat-protection/auditing/ tocHref: /windows/security/threat-protection/auditing/
topicHref: /windows/security/threat-protection/auditing/security-auditing-overview topicHref: /windows/security/threat-protection/auditing/security-auditing-overview
- name: Microsoft Defender Application Guard
tocHref: /windows/security/threat-protection/microsoft-defender-application-guard/
topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
- name: Security policy settings - name: Security policy settings
tocHref: /windows/security/threat-protection/security-policy-settings/ tocHref: /windows/security/threat-protection/security-policy-settings/
topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
- name: Application Control for Windows
tocHref: /windows/security/threat-protection/windows-defender-application-control/
topicHref: /windows/security/threat-protection/windows-defender-application-control/
- name: OS
tocHref: /windows/security/operating-system-security/
topicHref: /windows/security/operating-system-security/
- name: Windows Defender Firewall
tocHref: /windows/security/operating-system-security/network-security/windows-firewall/
topicHref: /windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security

2
windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
View File

@ -32,7 +32,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No | | **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No | | **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes | | **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes | | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | No |
| **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes | | **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
| **8 Required:EV Signers** | This option isn't currently supported. | No | | **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |

114
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,11 +1,8 @@
--- ---
ms.date: 12/05/2022 ms.date: 08/03/2023
title: Local Accounts title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: conceptual ms.topic: conceptual
ms.collection:
- highpri
- tier2
appliesto: appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@ -20,7 +17,7 @@ This article describes the default local user accounts for Windows operating sys
## About local user accounts ## About local user accounts
Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users. Local user accounts are defined locally on a device, and can be assigned rights and permissions on the device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
## Default local user accounts ## Default local user accounts
@ -30,9 +27,7 @@ Default local user accounts are used to manage access to the local device's reso
Default local user accounts are described in the following sections. Expand each section for more information. Default local user accounts are described in the following sections. Expand each section for more information.
<br> ### Administrator
<details>
<summary><b>Administrator</b></summary>
The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation. The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
@ -44,13 +39,13 @@ Windows setup disables the built-in Administrator account and creates another lo
Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation. Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
**Account group membership** #### Account group membership
By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device. By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device.
The Administrator account can't be removed from the Administrators group. The Administrator account can't be removed from the Administrators group.
**Security considerations** #### Security considerations
Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer. Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
@ -61,51 +56,42 @@ As a security best practice, use your local (non-Administrator) account to sign
Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
> [!IMPORTANT] > [!IMPORTANT]
>
> - Blank passwords are not allowed.
> >
> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. > - Blank passwords are not allowed
> - Even when the Administrator account is disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it's disabled.
</details> ### Guest
<br>
<details>
<summary><b>Guest</b></summary>
The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary.
**Account group membership** #### Guest account group membership
By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device. By default, the Guest account is the only member of the default Guests group `SID S-1-5-32-546`, which lets a user sign in to a device.
**Security considerations** #### Guest account security considerations
When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers. When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers.
In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user. In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.
</details> ### HelpAssistant
<br>
<details>
<summary><b>HelpAssistant</b></summary>
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
**Security considerations** #### HelpAssistant account security considerations
The SIDs that pertain to the default HelpAssistant account include: The SIDs that pertain to the default HelpAssistant account include:
- SID: `S-1-5-<domain>-13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. - SID: `S-1-5-<domain>-13`, display name *Terminal Server User*. This group includes all users who sign in to a server with Remote Desktop Services enabled.
- SID: `S-1-5-<domain>-14`, display name *Remote Interactive Logon*. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
- SID: `S-1-5-<domain>-14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used. For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used.
For details about the HelpAssistant account attributes, see the following table. For details about the HelpAssistant account attributes, see the following table.
**HelpAssistant account attributes** #### HelpAssistant account attributes
|Attribute|Value| |Attribute|Value|
|--- |--- | |--- |--- |
@ -118,15 +104,11 @@ For details about the HelpAssistant account attributes, see the following table.
|Safe to move out of default container?|Can be moved out, but we don't recommend it.| |Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No| |Safe to delegate management of this group to non-Service admins?|No|
</details> ### DefaultAccount
<br>
<details>
<summary><b>DefaultAccount</b></summary>
The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic. The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience. The DSMA is disabled by default on the desktop editions and on the Server operating systems with the desktop experience.
The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\<ComputerIdentifier>-503`. The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\<ComputerIdentifier>-503`.
@ -135,19 +117,20 @@ The DSMA is a member of the well-known group **System Managed Accounts Group**,
The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM). The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
#### How Windows uses the DefaultAccount #### How Windows uses the DefaultAccount
From a permission perspective, the DefaultAccount is a standard user account.
The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps).
MUMA apps run all the time and react to users signing in and signing out of the devices.
Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA.
MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. From a permission perspective, the DefaultAccount is a standard user account.
Today, Xbox automatically signs in as Guest account and all apps run in this context. The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps).
All the apps are multi-user-aware and respond to events fired by user manager. MUMA apps run all the time and react to users signing in and signing out of the devices.
Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA.
MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app.
Today, Xbox automatically signs in as Guest account and all apps run in this context.
All the apps are multi-user-aware and respond to events fired by user manager.
The apps run as the Guest account. The apps run as the Guest account.
Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
For this purpose, the system creates DSMA. For this purpose, the system creates DSMA.
#### How the DefaultAccount gets created on domain controllers #### How the DefaultAccount gets created on domain controllers
@ -158,35 +141,25 @@ If the domain was created with domain controllers running an earlier version of
#### Recommendations for managing the Default Account (DSMA) #### Recommendations for managing the Default Account (DSMA)
Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account. Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
</details>
## Default local system accounts ## Default local system accounts
<br> ### SYSTEM
<details>
<summary><b>SYSTEM</b></summary>
The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account. On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
> [!NOTE] > [!NOTE]
> To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them. > To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
</details> ### NETWORK SERVICE
<br>
<details>
<summary><b>NETWORK SERVICE </b></summary>
The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account). The *NETWORK SERVICE* account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
</details>
<br>
<details>
<summary><b>LOCAL SERVICE</b></summary>
The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account). ### LOCAL SERVICE
</details>
The *LOCAL SERVICE* account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
## How to manage local user accounts ## How to manage local user accounts
@ -203,17 +176,15 @@ You can also manage local users by using NET.EXE USER and manage local groups by
### Restrict and protect local accounts with administrative rights ### Restrict and protect local accounts with administrative rights
An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement". An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called *lateral movement*.
The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section. The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
The other approaches that can be used to restrict and protect user accounts with administrative rights include: The other approaches that can be used to restrict and protect user accounts with administrative rights include:
- Enforce local account restrictions for remote access. - Enforce local account restrictions for remote access
- Deny network logon to all local Administrator accounts
- Deny network logon to all local Administrator accounts. - Create unique passwords for local accounts with administrative rights
- Create unique passwords for local accounts with administrative rights.
Each of these approaches is described in the following sections. Each of these approaches is described in the following sections.
@ -224,7 +195,7 @@ Each of these approaches is described in the following sections.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you. User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command. UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session. In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
@ -234,8 +205,6 @@ For more information about UAC, see [User Account Control](/windows/access-prote
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access. The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
<!-- MicrosoftDocs/windows-itpro-docs/issues/7146 start line 254-->
|No.|Setting|Detailed Description| |No.|Setting|Detailed Description|
|--- |--- |--- | |--- |--- |--- |
||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options| ||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
@ -251,7 +220,7 @@ The following table shows the Group Policy and registry settings that are used t
> [!NOTE] > [!NOTE]
> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. > You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.
#### To enforce local account restrictions for remote access #### To enforce local account restrictions for remote access
1. Start the **Group Policy Management** Console (GPMC) 1. Start the **Group Policy Management** Console (GPMC)
@ -286,6 +255,7 @@ The following table shows the Group Policy and registry settings that are used t
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy 1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations 1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers 1. Create links to all other OUs that contain servers
### Deny network logon to all local Administrator accounts ### Deny network logon to all local Administrator accounts
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials. Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.

2
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -8,7 +8,7 @@ metadata:
- highpri - highpri
- tier1 - tier1
ms.topic: faq ms.topic: faq
ms.date: 03/09/2023 ms.date: 08/03/2023
title: Common questions about Windows Hello for Business title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business. summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.

6
windows/security/includes/sections/security-foundations.md
View File

@ -9,9 +9,9 @@ ms.topic: include
| Feature name | Description | | Feature name | Description |
|:---|:---| |:---|:---|
| **Microsoft Security Development Lifecycle (SDL)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. | | **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
| **OneFuzz service** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. | | **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows. | | **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows. |
## Certification ## Certification

310
windows/security/index.yml
View File

@ -1,162 +1,168 @@
### YamlMime:Landing ### YamlMime:Hub
title: Windows security title: Windows client security documentation
summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive. summary: Learn how to secure Windows clients for your organization.
brand: windows
metadata: metadata:
title: Windows security ms.topic: hub-page
description: Learn about Windows security technologies and how to use them to protect your data and devices.
ms.topic: landing-page
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-security
ms.collection: ms.collection:
- highpri
- tier1 - tier1
author: paolomatarazzo author: paolomatarazzo
ms.author: paoloma ms.author: paoloma
ms.date: 12/19/2022 manager: aaroncz
ms.date: 07/28/2023
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new highlightedContent:
items:
- title: Get started with Windows security
itemType: get-started
url: introduction.md
- title: Windows 11, version 22H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-22H2
- title: Windows 11, version 22H2 group policy settings reference
itemType: download
url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
- title: Security features licensing and edition requirements
itemType: overview
url: /windows/security/licensing-and-edition-requirements
landingContent:
# Cards and links should be based on top customer tasks or top subjects productDirectory:
# Start card title with a verb title: Get started
# Card (optional) items:
- title: Zero Trust and Windows
linkLists: - title: Hardware security
- linkListType: overview imageSrc: /media/common/i_usb.svg
links: links:
- text: Overview - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
url: zero-trust-windows-device-health.md text: Trusted Platform Module
# Cards and links should be based on top customer tasks or top subjects - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
# Start card title with a verb text: Microsoft Pluton
# Card (optional) - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
- title: Hardware security text: Windows Defender System Guard
linkLists: - url: /windows-hardware/design/device-experiences/oem-vbs
- linkListType: overview text: Virtualization-based security (VBS)
links: - url: /windows-hardware/design/device-experiences/oem-highly-secure-11
- text: Overview text: Secured-core PC
url: hardware.md - url: /windows/security/hardware-security
- linkListType: concept text: Learn more about hardware security >
links:
- text: Trusted Platform Module - title: OS security
url: hardware-security/tpm/trusted-platform-module-top-node.md imageSrc: /media/common/i_threat-protection.svg
- text: Windows Defender System Guard firmware protection links:
url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md - url: /windows/security/operating-system-security
- text: System Guard Secure Launch and SMM protection enablement text: Trusted boot
url: hardware-security/system-guard-secure-launch-and-smm-protection.md - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
- text: Virtualization-based protection of code integrity text: Windows security settings
url: hardware-security/enable-virtualization-based-protection-of-code-integrity.md - url: /windows/security/operating-system-security/data-protection/bitlocker/
- text: Kernel DMA Protection text: BitLocker
url: hardware-security/kernel-dma-protection-for-thunderbolt.md - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
# Cards and links should be based on top customer tasks or top subjects text: Windows security baselines
# Start card title with a verb - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
# Card (optional) text: MMicrosoft Defender SmartScreen
- title: Operating system security - url: /windows/security/operating-system-security
linkLists: text: Learn more about OS security >
- linkListType: overview
links: - title: Identity protection
- text: Overview imageSrc: /media/common/i_identity-protection.svg
url: operating-system-security/index.md links:
- linkListType: concept - url: /windows/security/identity-protection/hello-for-business
links: text: Windows Hello for Business
- text: Trusted boot - url: /windows/security/identity-protection/credential-guard
url: operating-system-security\system-security\trusted-boot.md text: Windows Defender Credential Guard
- text: Windows security baselines - url: /windows-server/identity/laps/laps-overview
url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md text: Windows LAPS (Local Administrator Password Solution)
- text: Virtual private network guide - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
url: operating-system-security/network-security/vpn/vpn-guide.md text: Enhanced phishing protection with SmartScreen
- text: Windows Defender Firewall - url: /education/windows/federated-sign-in
url: operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md text: Federated sign-in (EDU)
- text: Virus & threat protection - url: /windows/security/identity-protection
url: threat-protection/index.md text: Learn more about identity protection >
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb - title: Application security
# Card (optional) imageSrc: /media/common/i_queries.svg
- title: Application security links:
linkLists: - url: /windows/security/application-security/application-control/windows-defender-application-control/
- linkListType: overview text: Windows Defender Application Control (WDAC)
links: - url: /windows/security/application-security/application-control/user-account-control
- text: Overview text: User Account Control (UAC)
url: application-security/index.md - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
- linkListType: concept text: Microsoft vulnerable driver blocklist
links: - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
- text: Application Control and virtualization-based protection text: Microsoft Defender Application Guard (MDAG)
url: application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
- text: Application Control text: Windows Sandbox
url: application-security/application-control/windows-defender-application-control/wdac.md - url: /windows/security/application-security
- text: Application Guard text: Learn more about application security >
url: application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
- text: Windows Sandbox - title: Security foundations
url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md imageSrc: /media/common/i_build.svg
- text: Microsoft Defender SmartScreen links:
url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md - url: /windows/security/security-foundations/certification/fips-140-validation
- text: S/MIME for Windows text: FIPS 140-2 validation
url: operating-system-security/data-protection/configure-s-mime.md - url: /windows/security/security-foundations/certification/windows-platform-common-criteria
# Cards and links should be based on top customer tasks or top subjects text: Common Criteria Certifications
# Start card title with a verb - url: /windows/security/security-foundations/msft-security-dev-lifecycle
# Card (optional) text: Microsoft Security Development Lifecycle (SDL)
- title: User security and secured identity - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
linkLists: text: Microsoft Windows Insider Preview bounty program
- linkListType: overview - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
links: text: OneFuzz service
- text: Overview - url: /windows/security/security-foundations
url: identity.md text: Learn more about security foundations >
- linkListType: concept
links: - title: Cloud security
- text: Windows Hello for Business imageSrc: /media/common/i_cloud-security.svg
url: identity-protection/hello-for-business/index.md links:
- text: Protect domain credentials - url: /mem/intune/protect/security-baselines
url: identity-protection/credential-guard/credential-guard.md text: Security baselines with Intune
- text: Windows Defender Credential Guard - url: /windows/deployment/windows-autopatch
url: identity-protection/credential-guard/credential-guard.md text: Windows Autopatch
- text: Lost or forgotten passwords - url: /windows/deployment/windows-autopilot
url: identity-protection/password-support-policy.md text: Windows Autopilot
- text: Access control - url: /universal-print
url: identity-protection/access-control/access-control.md text: Universal Print
- text: Smart cards - url: /windows/client-management/mdm/remotewipe-csp
url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md text: Remote wipe
# Cards and links should be based on top customer tasks or top subjects - url: /windows/security/cloud-security
# Start card title with a verb text: Learn more about cloud security >
# Card (optional)
- title: Cloud services additionalContent:
linkLists: sections:
- linkListType: concept - title: More Windows resources
links: items:
- text: Mobile device management
url: /windows/client-management/mdm/ - title: Windows Server
- text: Azure Active Directory links:
url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Windows Server documentation
- text: Your Microsoft Account url: /windows-server
url: identity-protection/access-control/microsoft-accounts.md - text: What's new in Windows Server 2022?
- text: OneDrive url: /windows-server/get-started/whats-new-in-windows-server-2022
url: /onedrive/onedrive - text: Windows Server blog
- text: Family safety url: https://cloudblogs.microsoft.com/windowsserver/
url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
# Cards and links should be based on top customer tasks or top subjects - title: Windows product site and blogs
# Start card title with a verb links:
# Card (optional) - text: Find out how Windows enables your business to do more
- title: Security foundations url: https://www.microsoft.com/microsoft-365/windows
linkLists: - text: Windows blogs
- linkListType: overview url: https://blogs.windows.com/
links: - text: Windows IT Pro blog
- text: Overview url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
url: security-foundations/index.md - text: Microsoft Intune blog
- linkListType: reference url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog
links: - text: "Windows help & learning: end-user documentation"
- text: Microsoft Security Development Lifecycle url: https://support.microsoft.com/windows
url: threat-protection/msft-security-dev-lifecycle.md
- text: Microsoft Bug Bounty - title: Participate in the community
url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program links:
- text: Common Criteria Certifications - text: Windows community
url: threat-protection/windows-platform-common-criteria.md url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
- text: Federal Information Processing Standard (FIPS) 140 Validation - text: Microsoft Intune community
url: threat-protection/fips-140-validation.md url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
# Cards and links should be based on top customer tasks or top subjects - text: Microsoft Support community
# Start card title with a verb url: https://answers.microsoft.com/windows/forum
# Card (optional)
- title: Privacy controls
linkLists:
- linkListType: reference
links:
- text: Windows and Privacy Compliance
url: /windows/privacy/windows-10-and-privacy-compliance

45
windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -1,21 +1,21 @@
--- ---
title: BitLocker overview title: BitLocker overview
description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. description: Learn about BitLocker requirements, practical applications, and deprecated features.
ms.collection: ms.collection:
- highpri - highpri
- tier1 - tier1
ms.topic: conceptual ms.topic: overview
ms.date: 11/08/2022 ms.date: 08/03/2023
--- ---
# BitLocker overview # BitLocker overview
Bitlocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes.\ Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\
BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline. BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
On computers that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
@ -27,30 +27,25 @@ Data on a lost or stolen device is vulnerable to unauthorized access, either by
BitLocker has the following hardware requirements: BitLocker has the following hardware requirements:
For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker. - For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware
- The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment
A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware. > [!NOTE]
> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
>
> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. - The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system
> [!IMPORTANT] - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
> [!NOTE]
> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
> [!IMPORTANT] > [!IMPORTANT]
> When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
>
> An encrypted partition can't be marked as active. > An encrypted partition can't be marked as active.
When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives. > [!NOTE]
> When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)] [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]

14
windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,7 +1,7 @@
--- ---
title: How to configure cryptographic settings for IKEv2 VPN connections title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections. description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
ms.date: 06/28/2023 ms.date: 08/03/2023
ms.topic: how-to ms.topic: how-to
--- ---
@ -9,8 +9,8 @@ ms.topic: how-to
In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are: In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
- Encryption Algorithm : DES3 - Encryption Algorithm: DES3
- Integrity, Hash Algorithm : SHA1 - Integrity, Hash Algorithm: SHA1
- Diffie Hellman Group (Key Size): DH2 - Diffie Hellman Group (Key Size): DH2
These settings aren't secure for IKE exchanges. These settings aren't secure for IKE exchanges.
@ -31,9 +31,9 @@ On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/
Set-VpnServerIPsecConfiguration -CustomPolicy Set-VpnServerIPsecConfiguration -CustomPolicy
``` ```
## VPN client ## VPN client
For VPN client, you need to configure each VPN connection. For VPN client, you need to configure each VPN connection.
For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection: For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection:
```powershell ```powershell
@ -44,8 +44,8 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
The following commands configure the IKEv2 cryptographic settings to: The following commands configure the IKEv2 cryptographic settings to:
- Encryption Algorithm : AES128 - Encryption Algorithm: AES128
- Integrity, Hash Algorithm : SHA256 - Integrity, Hash Algorithm: SHA256
- Diffie Hellman Group (Key Size): DH14 - Diffie Hellman Group (Key Size): DH14
### IKEv2 VPN Server ### IKEv2 VPN Server

10
windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,13 +1,13 @@
--- ---
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.date: 12/28/2022 ms.date: 08/03/2023
ms.topic: how-to ms.topic: how-to
--- ---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections # How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used: This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over Wi-Fi or VPN connections. The following scenarios are typically used:
- Connecting to a network using Wi-Fi or VPN - Connecting to a network using Wi-Fi or VPN
- Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials - Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials
@ -17,15 +17,15 @@ For example, you want to connect to a corporate network and access an internal w
The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource: The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
- For VPN, the VPN stack saves its credential as the **session default** - For VPN, the VPN stack saves its credential as the **session default**
- For WiFi, Extensible Authentication Protocol (EAP) provides support - For Wi-Fi, Extensible Authentication Protocol (EAP) provides support
The credentials are placed in Credential Manager as a *session credential*: The credentials are placed in Credential Manager as a *session credential*:
- A *session credential* implies that it is valid for the current user session - A *session credential* implies that it is valid for the current user session
- The credentials are cleaned up when the WiFi or VPN connection is disconnected - The credentials are cleaned up when the Wi-Fi or VPN connection is disconnected
> [!NOTE] > [!NOTE]
> In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager. > In Windows 10, version 21H2 and later, the *session credential* isn't visible in Credential Manager.
For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it. For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations). For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations).

2
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
--- ---
title: VPN authentication options title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 06/20/2023 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---

2
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
View File

@ -1,7 +1,7 @@
--- ---
title: VPN auto-triggered profile options title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections. description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 05/24/2023 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---

10
windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
--- ---
title: VPN and conditional access title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps. description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps.
ms.date: 05/23/2023 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---
@ -17,10 +17,10 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn) - [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health) - [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional) - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. - Azure AD Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued. - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status - Antivirus status
- Auto-update status and update compliance - Auto-update status and update compliance
- Password policy compliance - Password policy compliance
@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance ## VPN device compliance
At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section. At this time, the Azure AD certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
Server-side infrastructure requirements to support VPN device compliance include: Server-side infrastructure requirements to support VPN device compliance include:
@ -91,7 +91,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related topics ## Related articles
- [VPN technical guide](vpn-guide.md) - [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md) - [VPN connection types](vpn-connection-type.md)

5
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -1,7 +1,7 @@
--- ---
title: VPN connection types (Windows 10 and Windows 11) title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 05/24/2022 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---
@ -16,6 +16,7 @@ There are many options for VPN clients. In Windows, the built-in plug-in and the
## Built-in VPN client ## Built-in VPN client
Tunneling protocols: Tunneling protocols:
- [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)): configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp). - [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)): configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
- [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10)): L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp). - [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10)): L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
- [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10)) - [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10))

2
windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows VPN technical guide title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution. description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 05/24/2023 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---

2
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
View File

@ -1,7 +1,7 @@
--- ---
title: VPN name resolution title: VPN name resolution
description: Learn how name resolution works when using a VPN connection. description: Learn how name resolution works when using a VPN connection.
ms.date: 05/24/2023 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---

2
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: article ms.topic: article
ms.date: 05/24/2023 ms.date: 08/03/2023
--- ---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client

15
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,22 +1,22 @@
--- ---
title: VPN profile options title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 05/17/2018 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---
# VPN profile options # VPN profile options
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). Most of the VPN settings in Windows can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. VPN settings can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
>[!NOTE] >[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first. >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first.
The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**. The following table lists the VPN settings and whether the setting can be configured in Intune and Configuration Manager, or can only be configured using **ProfileXML**.
| Profile setting | Can be configured in Intune and Configuration Manager | | Profile setting | Can be configured in Intune and Configuration Manager |
| --- | --- | | --- | --- |
| Connection type | Yes | | Connection type | Yes |
| Routing: split-tunnel routes | Yes, except exclusion routes | | Routing: split-tunnel routes | Yes, except exclusion routes |
| Routing: forced-tunnel | Yes | | Routing: forced-tunnel | Yes |
| Authentication (EAP) | Yes, if connection type is built in | | Authentication (EAP) | Yes, if connection type is built in |
@ -33,15 +33,14 @@ The following table lists the VPN settings and whether the setting can be config
| Traffic filters | Yes | | Traffic filters | Yes |
| Proxy settings | Yes, by PAC/WPAD file or server and port | | Proxy settings | Yes, by PAC/WPAD file or server and port |
> [!NOTE] > [!NOTE]
> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used. > VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used.
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article. The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article.
## Sample Native VPN profile ## Sample Native VPN profile
The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node. The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
```xml ```xml
<VPNProfile> <VPNProfile>

2
windows/security/operating-system-security/network-security/vpn/vpn-routing.md
View File

@ -1,5 +1,5 @@
--- ---
ms.date: 05/24/2023 ms.date: 08/03/2023
title: VPN routing decisions title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: conceptual ms.topic: conceptual

2
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -1,7 +1,7 @@
--- ---
title: VPN security features title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters. description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 05/24/2023 ms.date: 08/03/2023
ms.topic: conceptual ms.topic: conceptual
--- ---

12
windows/security/security-foundations/toc.yml
View File

@ -3,7 +3,13 @@ items:
href: index.md href: index.md
- name: Zero Trust and Windows - name: Zero Trust and Windows
href: zero-trust-windows-device-health.md href: zero-trust-windows-device-health.md
- name: Microsoft Security Development Lifecycle - name: Offensive research
href: msft-security-dev-lifecycle.md items:
- name: Microsoft Security Development Lifecycle
href: msft-security-dev-lifecycle.md
- name: OneFuzz service
href: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
- name: Microsoft Windows Insider Preview bounty program 🔗
href: https://www.microsoft.com/msrc/bounty-windows-insider-preview
- name: Certification - name: Certification
href: certification/toc.yml href: certification/toc.yml

2
windows/security/toc.yml
View File

@ -1,6 +1,4 @@
items: items:
- name: Windows security
href: index.yml
- name: Introduction to Windows security - name: Introduction to Windows security
href: introduction.md href: introduction.md
- name: Security features licensing and edition requirements - name: Security features licensing and edition requirements