deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

bring even with main, fix merge conflict

Browse Source
This commit is contained in:
Aaron Czechowski 2023-08-08 12:33:38 -07:00
commit bd824dbc6f
68 changed files with 2004 additions and 1425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.windows-deployment.json
View File

@ -1104,6 +1104,11 @@
"source_path": "windows/deployment/windows-10-deployment-tools-reference.md",
"redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device",
"redirect_document_id": true
}
]
}

8
education/includes/education-content-updates.md
View File

@ -2,6 +2,14 @@
## Week of July 31, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 8/3/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
## Week of July 24, 2023

182
education/windows/windows-11-se-overview.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
ms.date: 07/25/2023
ms.date: 08/03/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
@ -35,11 +35,11 @@ The following table lists the different application types available in Windows o
| --- | --- | :---: | ---|
|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.|
|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
> [!IMPORTANT]
> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
> If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
## Applications included in Windows 11 SE
@ -50,10 +50,10 @@ The following table lists all the applications included in Windows 11 SE and the
| Alarm & Clock | UWP | | |
| Calculator | UWP | ✅ | |
| Camera | UWP | ✅ | |
| Microsoft Edge | Win32 | ✅ | ✅ |
| Excel | Win32 | ✅ | |
| Microsoft Edge | `Win32` | ✅ | ✅ |
| Excel | `Win32` | ✅ | |
| Feedback Hub | UWP | | |
| File Explorer | Win32 | | ✅ |
| File Explorer | `Win32` | | ✅ |
| FlipGrid | PWA | | |
| Get Help | UWP | | |
| Media Player | UWP | ✅ | |
@ -61,20 +61,20 @@ The following table lists all the applications included in Windows 11 SE and the
| Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | |
| News | UWP | | |
| Notepad | Win32 | | |
| OneDrive | Win32 | | |
| OneNote | Win32 | ✅ | |
| Notepad | `Win32` | | |
| OneDrive | `Win32` | | |
| OneNote | `Win32` | ✅ | |
| Outlook | PWA | ✅ | |
| Paint | Win32 | ✅ | |
| Paint | `Win32` | ✅ | |
| Photos | UWP | | |
| PowerPoint | Win32 | ✅ | |
| PowerPoint | `Win32` | ✅ | |
| Settings | UWP | ✅ | |
| Snip & Sketch | UWP | | |
| Sticky Notes | UWP | | |
| Teams | Win32 | ✅ | |
| Teams | `Win32` | ✅ | |
| To Do | UWP | | |
| Whiteboard | UWP | ✅ | |
| Word | Win32 | ✅ | |
| Word | `Win32` | ✅ | |
## Available applications
@ -82,98 +82,98 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-------------------------------------------|-------------------|----------|-------------------------------------------|
| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
| `AirSecure` | 8.0.0 | Win32 | `AIR` |
| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
| `3d builder` | 18.0.1931.0 | `Win32` | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | `Win32` | `Absolute Software Corporation` |
| `AirSecure` | 8.0.0 | `Win32` | `AIR` |
| `Alertus Desktop` | 5.4.48.0 | `Win32` | `Alertus technologies` |
| `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` |
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` |
| `Class Policy` | 116.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | `Win32` | `Cisco` |
| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` |
| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` |
| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `DigiExam` | 14.0.6 | Win32 | `Digiexam` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` |
| `DigiExam` | 14.0.6 | `Win32` | `Digiexam` |
| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `Dyknow` | 7.9.13.7 | Win32 | `Dyknow` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | Win32 | `e-speaking` |
| `EasyReader` | 10.0.4.498 | Win32 | `Dolphin Computer Access` |
| `Easysense 2` | 1.32.0001 | Win32 | `Data Harvest` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
| `eTests` | 4.0.25 | Win32 | `CASAS` |
| `Exam Writepad` | 22.10.14.1834 | Win32 | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` |
| `GuideConnect` | 1.24 | Win32 | `Dolphin Computer Access` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 5.0.87 | Win32 | `Impero Software` |
| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` |
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
| `Keyman` | 16.0.138 | Win32 | `SIL International` |
| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` |
| `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` |
| `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` |
| `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` |
| `Epson iProjection` | 3.31 | `Win32` | `Epson` |
| `eTests` | 4.0.25 | `Win32` | `CASAS` |
| `Exam Writepad` | 22.10.14.1834 | `Win32` | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | `Win32` | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | `Win32` | `GoGuardian` |
| `Google Chrome` | 110.0.5481.178 | `Win32` | `Google` |
| `GuideConnect` | 1.24 | `Win32` | `Dolphin Computer Access` |
| `Illuminate Lockdown Browser` | 2.0.5 | `Win32` | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` |
| `Impero Backdrop Client` | 5.0.87 | `Win32` | `Impero Software` |
| `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` |
| `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | `Win32` | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` |
| `Keyman` | 16.0.138 | `Win32` | `SIL International` |
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
| `Lightspeed Filter Agent` | 2.3.4 | Win32 | `Lightspeed Systems` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | `Win32` | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | `Win32` | `Stoneware, Inc.` |
| `LanSchool Air` | 2.0.13312 | `Win32` | `Stoneware, Inc.` |
| `Lightspeed Smart Agent` | 1.9.1 | `Win32` | `Lightspeed Systems` |
| `Lightspeed Filter Agent` | 2.3.4 | `Win32` | `Lightspeed Systems` |
| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
| `Mozilla Firefox` | 105.0.0 | `Win32` | `Mozilla` |
| `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` |
| `NAPLAN` | 5.2.2 | Win32 | `NAP` |
| `Netref Student` | 23.1.0 | Win32 | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.387.0 | Win32 | `NWEA` |
| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| `NAPLAN` | 5.2.2 | `Win32` | `NAP` |
| `Netref Student` | 23.1.0 | `Win32` | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | `Win32` | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | `Win32` | `NetSupport` |
| `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` |
| `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` |
| `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` |
| `PaperCut` | 22.0.6 | `Win32` | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` |
| `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` |
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | Win32 | `Microsoft` |
| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | Win32 | `Safe Exam Browser` |
|`SchoolYear` | 3.4.21 | Win32 |`SchoolYear` |
|`School Manager` | 3.6.8.1109 | Win32 |`School Manager` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Skoolnext` | 2.19 | Win32 | `Skool.net` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 22.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.29 | Win32 | `WordQ` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| `ZoomText Fusion` | 2023.2303.77.400 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | Win32 | `Freedom Scientific` |
| `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | `Win32` | `Microsoft` |
| `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` |
|`SchoolYear` | 3.4.21 | `Win32` |`SchoolYear` |
|`School Manager` | 3.6.8.1109 | `Win32` |`School Manager` |
| `Senso.Cloud` | 2021.11.15.0 | `Win32` | `Senso.Cloud` |
| `Skoolnext` | 2.19 | `Win32` | `Skool.net` |
| `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 22.02 | `Win32` | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` |
| `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.29 | `Win32` | `WordQ` |
| `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` |
| `ZoomText Fusion` | 2023.2303.77.400 | `Win32` | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | `Win32` | `Freedom Scientific` |
## Add your own applications
If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
If the applications you need aren't in the [available applications list](#available-applications), you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
Microsoft reviews every app request to make sure each app meets the following requirements:
- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more
- Apps can be any native Windows app type, such as a Microsoft Store app, `Win32` app, `.MSIX`, `.APPX`, and more
- Apps must be in one of the following app categories:
- Content Filtering apps
- Test Taking solutions

4
includes/licensing/_edition-requirements.md
View File

@ -44,11 +44,11 @@ ms.topic: include
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|
|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
|**OneFuzz service**|Yes|Yes|Yes|Yes|
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|

4
includes/licensing/_licensing-requirements.md
View File

@ -44,11 +44,11 @@ ms.topic: include
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
|**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
|**OneFuzz service**|Yes|Yes|Yes|Yes|Yes|
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|

4
includes/licensing/federated-sign-in.md
View File

@ -15,8 +15,8 @@ The following table lists the Windows editions that support Federated sign-in:
Federated sign-in license entitlements are granted by the following licenses:
|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|No|No|No|Yes|Yes|
|Yes|No|No|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

5
windows/application-management/apps-in-windows-10.md
View File

@ -52,7 +52,8 @@ There are different types of apps that can run on your Windows client devices. T
- **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps:
- **Provisioned**: Installed in user account the first time you sign in with a new user account. For a list of some common provisioned apps, see [Provisioned apps installed with the Windows client OS](provisioned-apps-windows-client-os.md).
- **Provisioned**: Installed in user account the first time you sign in with a new user account. To get a list of all the provisioned apps, use Windows PowerShell: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName` The output lists all the provisioned apps, and their package names. For more information, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage).
- **Installed**: Installed as part of the OS.
- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. Not all Windows apps are UWP apps.
@ -63,7 +64,7 @@ There are different types of apps that can run on your Windows client devices. T
For more information, see [Get started developing apps for Windows desktop](/windows/apps/get-started) and [Make your apps great on Windows 11](/windows/apps/get-started/make-apps-great-for-windows).
- **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. For a list of some common system apps, see [System apps installed with the Windows client OS](system-apps-windows-client-os.md).
- **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS. To get a list of all the system apps, use Windows PowerShell: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation` The output lists all the system apps, and their installation location. For more information, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage).
- **Web apps** and **Progressive web apps (PWA)**: These apps run on a server, and don't run on the end user device. To use these apps, users must use a web browser and have internet access. **Progressive web apps** are designed to work for all users, work with any browser, and work on any platform.

326
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -34,7 +34,9 @@ The following list shows the Defender configuration service provider nodes:
- [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
- [DataDuplicationDirectory](#configurationdataduplicationdirectory)
- [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
- [DataDuplicationMaximumQuota](#configurationdataduplicationmaximumquota)
- [DataDuplicationRemoteLocation](#configurationdataduplicationremotelocation)
- [DaysUntilAggressiveCatchupQuickScan](#configurationdaysuntilaggressivecatchupquickscan)
- [DefaultEnforcement](#configurationdefaultenforcement)
- [DeviceControl](#configurationdevicecontrol)
- [PolicyGroups](#configurationdevicecontrolpolicygroups)
@ -44,6 +46,7 @@ The following list shows the Defender configuration service provider nodes:
- [{RuleId}](#configurationdevicecontrolpolicyrulesruleid)
- [RuleData](#configurationdevicecontrolpolicyrulesruleidruledata)
- [DeviceControlEnabled](#configurationdevicecontrolenabled)
- [DisableCacheMaintenance](#configurationdisablecachemaintenance)
- [DisableCpuThrottleOnIdleScans](#configurationdisablecputhrottleonidlescans)
- [DisableDatagramProcessing](#configurationdisabledatagramprocessing)
- [DisableDnsOverTcpParsing](#configurationdisablednsovertcpparsing)
@ -58,20 +61,24 @@ The following list shows the Defender configuration service provider nodes:
- [DisableSmtpParsing](#configurationdisablesmtpparsing)
- [DisableSshParsing](#configurationdisablesshparsing)
- [DisableTlsParsing](#configurationdisabletlsparsing)
- [EnableConvertWarnToBlock](#configurationenableconvertwarntoblock)
- [EnableDnsSinkhole](#configurationenablednssinkhole)
- [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EngineUpdatesChannel](#configurationengineupdateschannel)
- [ExcludedIpAddresses](#configurationexcludedipaddresses)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation)
- [PerformanceModeStatus](#configurationperformancemodestatus)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
- [SecuredDevicesConfiguration](#configurationsecureddevicesconfiguration)
- [SecurityIntelligenceLocationUpdateAtScheduledTimeOnly](#configurationsecurityintelligencelocationupdateatscheduledtimeonly)
- [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
- [SupportLogLocation](#configurationsupportloglocation)
- [TamperProtection](#configurationtamperprotection)
@ -306,7 +313,7 @@ This settings controls whether Network Protection is allowed to be configured in
<!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-AllowSwitchToAsyncInspection-Applicability-End -->
<!-- Device-Configuration-AllowSwitchToAsyncInspection-OmaUri-Begin -->
@ -468,6 +475,45 @@ Define the retention period in days of how much time the evidence data will be k
<!-- Device-Configuration-DataDuplicationLocalRetentionPeriod-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Begin -->
### Configuration/DataDuplicationMaximumQuota
<!-- Device-Configuration-DataDuplicationMaximumQuota-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-DataDuplicationMaximumQuota-Applicability-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationMaximumQuota
```
<!-- Device-Configuration-DataDuplicationMaximumQuota-OmaUri-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-Begin -->
<!-- Description-Source-DDF -->
Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.
<!-- Device-Configuration-DataDuplicationMaximumQuota-Description-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Editable-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-DataDuplicationMaximumQuota-DFProperties-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-Examples-End -->
<!-- Device-Configuration-DataDuplicationMaximumQuota-End -->
<!-- Device-Configuration-DataDuplicationRemoteLocation-Begin -->
### Configuration/DataDuplicationRemoteLocation
@ -507,6 +553,47 @@ Define data duplication remote location for device control.
<!-- Device-Configuration-DataDuplicationRemoteLocation-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Begin -->
### Configuration/DaysUntilAggressiveCatchupQuickScan
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Applicability-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DaysUntilAggressiveCatchupQuickScan
```
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-OmaUri-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-Begin -->
<!-- Description-Source-DDF -->
Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Description-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Editable-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0,7-60]` |
| Default Value | 25 |
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-DFProperties-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-Examples-End -->
<!-- Device-Configuration-DaysUntilAggressiveCatchupQuickScan-End -->
<!-- Device-Configuration-DefaultEnforcement-Begin -->
### Configuration/DefaultEnforcement
@ -873,6 +960,45 @@ Control Device Control feature.
<!-- Device-Configuration-DeviceControlEnabled-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Begin -->
### Configuration/DisableCacheMaintenance
<!-- Device-Configuration-DisableCacheMaintenance-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-DisableCacheMaintenance-Applicability-End -->
<!-- Device-Configuration-DisableCacheMaintenance-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/DisableCacheMaintenance
```
<!-- Device-Configuration-DisableCacheMaintenance-OmaUri-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Description-Begin -->
<!-- Description-Source-DDF -->
Defines whether the cache maintenance idle task will perform the cache maintenance or not.
<!-- Device-Configuration-DisableCacheMaintenance-Description-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCacheMaintenance-Editable-End -->
<!-- Device-Configuration-DisableCacheMaintenance-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-DisableCacheMaintenance-DFProperties-End -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-DisableCacheMaintenance-Examples-End -->
<!-- Device-Configuration-DisableCacheMaintenance-End -->
<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Begin -->
### Configuration/DisableCpuThrottleOnIdleScans
@ -928,7 +1054,7 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
<!-- Device-Configuration-DisableDatagramProcessing-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-DisableDatagramProcessing-Applicability-End -->
<!-- Device-Configuration-DisableDatagramProcessing-OmaUri-Begin -->
@ -1282,7 +1408,7 @@ This setting disables Inbound connection filtering for Network Protection.
<!-- Device-Configuration-DisableLocalAdminMerge-Description-Begin -->
<!-- Description-Source-DDF -->
When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
<!-- Device-Configuration-DisableLocalAdminMerge-Description-End -->
<!-- Device-Configuration-DisableLocalAdminMerge-Editable-Begin -->
@ -1304,8 +1430,8 @@ When this value is set to false, it allows a local admin the ability to specify
| Value | Description |
|:--|:--|
| 1 | Disable Local Admin Merge. |
| 0 (Default) | Enable Local Admin Merge. |
| 1 | Yes. |
| 0 (Default) | No. |
<!-- Device-Configuration-DisableLocalAdminMerge-AllowedValues-End -->
<!-- Device-Configuration-DisableLocalAdminMerge-Examples-Begin -->
@ -1559,6 +1685,55 @@ This setting disables TLS Parsing for Network Protection.
<!-- Device-Configuration-DisableTlsParsing-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Begin -->
### Configuration/EnableConvertWarnToBlock
<!-- Device-Configuration-EnableConvertWarnToBlock-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- Device-Configuration-EnableConvertWarnToBlock-Applicability-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/EnableConvertWarnToBlock
```
<!-- Device-Configuration-EnableConvertWarnToBlock-OmaUri-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Description-Begin -->
<!-- Description-Source-DDF -->
This setting controls whether network protection blocks network traffic instead of displaying a warning.
<!-- Device-Configuration-EnableConvertWarnToBlock-Description-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Editable-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-EnableConvertWarnToBlock-DFProperties-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | Warn verdicts are converted to block. |
| 0 (Default) | Warn verdicts aren't converted to block. |
<!-- Device-Configuration-EnableConvertWarnToBlock-AllowedValues-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-EnableConvertWarnToBlock-Examples-End -->
<!-- Device-Configuration-EnableConvertWarnToBlock-End -->
<!-- Device-Configuration-EnableDnsSinkhole-Begin -->
### Configuration/EnableDnsSinkhole
@ -1710,6 +1885,45 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
<!-- Device-Configuration-EngineUpdatesChannel-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Begin -->
### Configuration/ExcludedIpAddresses
<!-- Device-Configuration-ExcludedIpAddresses-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-ExcludedIpAddresses-Applicability-End -->
<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
```
<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Description-Begin -->
<!-- Description-Source-DDF -->
Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
<!-- Device-Configuration-ExcludedIpAddresses-Description-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-ExcludedIpAddresses-Editable-End -->
<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-End -->
<!-- Device-Configuration-ExcludedIpAddresses-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-ExcludedIpAddresses-Examples-End -->
<!-- Device-Configuration-ExcludedIpAddresses-End -->
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Begin -->
### Configuration/HideExclusionsFromLocalAdmins
@ -2008,6 +2222,55 @@ Setting to control automatic remediation for Sense scans.
<!-- Device-Configuration-PassiveRemediation-End -->
<!-- Device-Configuration-PerformanceModeStatus-Begin -->
### Configuration/PerformanceModeStatus
<!-- Device-Configuration-PerformanceModeStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- Device-Configuration-PerformanceModeStatus-Applicability-End -->
<!-- Device-Configuration-PerformanceModeStatus-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/PerformanceModeStatus
```
<!-- Device-Configuration-PerformanceModeStatus-OmaUri-End -->
<!-- Device-Configuration-PerformanceModeStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.
<!-- Device-Configuration-PerformanceModeStatus-Description-End -->
<!-- Device-Configuration-PerformanceModeStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-PerformanceModeStatus-Editable-End -->
<!-- Device-Configuration-PerformanceModeStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-PerformanceModeStatus-DFProperties-End -->
<!-- Device-Configuration-PerformanceModeStatus-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
| 1 | Performance mode is disabled. A service restart is required after changing this value. |
<!-- Device-Configuration-PerformanceModeStatus-AllowedValues-End -->
<!-- Device-Configuration-PerformanceModeStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-PerformanceModeStatus-Examples-End -->
<!-- Device-Configuration-PerformanceModeStatus-End -->
<!-- Device-Configuration-PlatformUpdatesChannel-Begin -->
### Configuration/PlatformUpdatesChannel
@ -2101,7 +2364,7 @@ In Microsoft Defender Antivirus, randomize the start time of the scan to any int
| Value | Description |
|:--|:--|
| 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. |
| 0 | Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. |
| 0 | Scheduled tasks won't be randomized. |
<!-- Device-Configuration-RandomizeScheduleTaskTimes-AllowedValues-End -->
<!-- Device-Configuration-RandomizeScheduleTaskTimes-Examples-Begin -->
@ -2239,6 +2502,55 @@ Defines what are the devices primary ids that should be secured by Defender Devi
<!-- Device-Configuration-SecuredDevicesConfiguration-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Begin -->
### Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Applicability-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceLocationUpdateAtScheduledTimeOnly
```
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-OmaUri-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It's used together with the shared security intelligence location (SecurityIntelligenceLocation).
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Description-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Editable-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-DFProperties-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time. |
| 0 (Default) | If you either disable or don't configure this setting, updates occur whenever a new security intelligence update is detected at the location that's specified by SecurityIntelligenceLocation. |
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-AllowedValues-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-Examples-End -->
<!-- Device-Configuration-SecurityIntelligenceLocationUpdateAtScheduledTimeOnly-End -->
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin -->
### Configuration/SecurityIntelligenceUpdatesChannel

253
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1033,6 +1033,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ExcludedIpAddresses</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AllowNetworkProtectionOnWinServer</NodeName>
<DFProperties>
@ -1121,7 +1151,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings</Description>
<Description>When this value is set to no, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings</Description>
<DFFormat>
<int />
</DFFormat>
@ -1141,11 +1171,11 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Disable Local Admin Merge</MSFT:ValueDescription>
<MSFT:ValueDescription>Yes</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Enable Local Admin Merge</MSFT:ValueDescription>
<MSFT:ValueDescription>No</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -1827,7 +1857,7 @@ The following XML file contains the device description framework (DDF) for the D
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -1842,6 +1872,45 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableConvertWarnToBlock</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting controls whether network protection blocks network traffic instead of displaying a warning</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Warn verdicts are converted to block</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Warn verdicts are not converted to block</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisableNetworkProtectionPerfTelemetry</NodeName>
<DFProperties>
@ -1998,6 +2067,84 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PerformanceModeStatus</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows IT admins to configure performance mode in either enabled or disabled mode for managed devices.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22000</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Performance mode is enabled (default). A service restart is required after changing this value.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Performance mode is disabled. A service restart is required after changing this value.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>SecurityIntelligenceLocationUpdateAtScheduledTimeOnly</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows you to configure security intelligence updates according to the scheduler for VDI-configured computers. It is used together with the shared security intelligence location (SecurityIntelligenceLocation).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you enable this setting and configure SecurityIntelligenceLocation, updates from the configured location occur only at the previously configured scheduled update time.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you either disable or do not configure this setting, updates occur whenever a new security intelligence update is detected at the location that is specified by SecurityIntelligenceLocation.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ThrottleForScheduledScanOnly</NodeName>
<DFProperties>
@ -2037,6 +2184,38 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DaysUntilAggressiveCatchupQuickScan</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Configure how many days can pass before an aggressive quick scan is triggered. The valid interval is [7-60] days. If set to 0, aggressive quick scans will be disabled. By default, the value is set to 25 days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0,7-60]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ASROnlyPerRuleExclusions</NodeName>
<DFProperties>
@ -2157,6 +2336,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DataDuplicationMaximumQuota</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines the maximum data duplication quota in MB that can be collected. When the quota is reached the filter will stop duplicating any data until the service manages to dispatch the existing collected data, thus decreasing the quota again below the maximum.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DataDuplicationLocalRetentionPeriod</NodeName>
<DFProperties>
@ -2418,7 +2627,7 @@ The following XML file contains the device description framework (DDF) for the D
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
@ -2467,7 +2676,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.</MSFT:ValueDescription>
<MSFT:ValueDescription>Scheduled tasks will not be randomized.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -2511,6 +2720,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisableCacheMaintenance</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines whether the cache maintenance idle task will perform the cache maintenance or not.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

78
windows/client-management/mdm/firewall-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/15/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Firewall-Begin -->
# Firewall CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Firewall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.
@ -3061,7 +3063,7 @@ This value configures the security association idle time, in seconds. Security a
<!-- Device-MdmStore-HyperVFirewallRules-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-OmaUri-Begin -->
@ -3100,7 +3102,7 @@ A list of rules controlling traffic through the Windows Firewall for Hyper-V con
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-OmaUri-Begin -->
@ -3142,7 +3144,7 @@ Unique alpha numeric identifier for the rule. The rule name mustn't include a fo
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Action-OmaUri-Begin -->
@ -3194,7 +3196,7 @@ Specifies the action the rule enforces:
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Direction-OmaUri-Begin -->
@ -3249,7 +3251,7 @@ If not specified the default is OUT.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Enabled-OmaUri-Begin -->
@ -3299,7 +3301,7 @@ If not specified - a new rule is disabled by default.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalAddressRanges-OmaUri-Begin -->
@ -3351,7 +3353,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-LocalPortRanges-OmaUri-Begin -->
@ -3391,7 +3393,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Name-OmaUri-Begin -->
@ -3430,7 +3432,7 @@ Specifies the friendly name of the Hyper-V Firewall rule.
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Priority-OmaUri-Begin -->
@ -3470,7 +3472,7 @@ This value represents the order of rule enforcement. A lower priority rule is ev
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Profiles-OmaUri-Begin -->
@ -3520,7 +3522,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Protocol-OmaUri-Begin -->
@ -3560,7 +3562,7 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemoteAddressRanges-OmaUri-Begin -->
@ -3610,7 +3612,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-RemotePortRanges-OmaUri-Begin -->
@ -3650,7 +3652,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-Status-OmaUri-Begin -->
@ -3689,7 +3691,7 @@ Provides information about the specific version of the rule in deployment for mo
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-Applicability-End -->
<!-- Device-MdmStore-HyperVFirewallRules-{FirewallRuleName}-VMCreatorId-OmaUri-Begin -->
@ -3729,7 +3731,7 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G
<!-- Device-MdmStore-HyperVVMSettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-OmaUri-Begin -->
@ -3768,7 +3770,7 @@ Settings for the Windows Firewall for Hyper-V containers. Each setting applies o
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-OmaUri-Begin -->
@ -3810,7 +3812,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-AllowHostPolicyMerge-OmaUri-Begin -->
@ -3859,7 +3861,7 @@ This value is used as an on/off switch. If this value is true, applicable host f
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultInboundAction-OmaUri-Begin -->
@ -3909,7 +3911,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DefaultOutboundAction-OmaUri-Begin -->
@ -3959,7 +3961,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-OmaUri-Begin -->
@ -3997,7 +3999,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4047,7 +4049,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4097,7 +4099,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4147,7 +4149,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-DomainProfile-EnableFirewall-OmaUri-Begin -->
@ -4196,7 +4198,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableFirewall-OmaUri-Begin -->
@ -4245,7 +4247,7 @@ This value is an on/off switch for the Hyper-V Firewall. This value controls the
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-EnableLoopback-OmaUri-Begin -->
@ -4294,7 +4296,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-OmaUri-Begin -->
@ -4332,7 +4334,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4382,7 +4384,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4432,7 +4434,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4482,7 +4484,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PrivateProfile-EnableFirewall-OmaUri-Begin -->
@ -4531,7 +4533,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-OmaUri-Begin -->
@ -4569,7 +4571,7 @@ This value is an on/off switch for the Hyper-V Firewall enforcement.
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-AllowLocalPolicyMerge-OmaUri-Begin -->
@ -4619,7 +4621,7 @@ This value is used as an on/off switch. If this value is false, Hyper-V Firewall
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultInboundAction-OmaUri-Begin -->
@ -4669,7 +4671,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-DefaultOutboundAction-OmaUri-Begin -->
@ -4719,7 +4721,7 @@ This value is the action that the Hyper-V Firewall does by default (and evaluate
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25398] |
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-Applicability-End -->
<!-- Device-MdmStore-HyperVVMSettings-{VMCreatorId}-PublicProfile-EnableFirewall-OmaUri-Begin -->

30
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2815,6 +2815,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>
@ -3025,6 +3029,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
@ -3055,6 +3063,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
@ -3244,6 +3256,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
@ -3433,6 +3449,10 @@ The following XML file contains the device description framework (DDF) for the F
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
@ -4424,6 +4444,10 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>
@ -4808,6 +4832,10 @@ If not specified - a new rule is disabled by default.</Description>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.25398</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value>

34
windows/client-management/mdm/laps-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- LAPS-Begin -->
# LAPS CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- LAPS-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
@ -54,7 +56,7 @@ The following list shows the LAPS configuration service provider nodes:
<!-- Device-Actions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-Applicability-End -->
<!-- Device-Actions-OmaUri-Begin -->
@ -93,7 +95,7 @@ Defines the parent interior node for all action-related settings in the LAPS CSP
<!-- Device-Actions-ResetPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-ResetPassword-Applicability-End -->
<!-- Device-Actions-ResetPassword-OmaUri-Begin -->
@ -133,7 +135,7 @@ This action invokes an immediate reset of the local administrator account passwo
<!-- Device-Actions-ResetPasswordStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Actions-ResetPasswordStatus-Applicability-End -->
<!-- Device-Actions-ResetPasswordStatus-OmaUri-Begin -->
@ -178,7 +180,7 @@ The value returned is an HRESULT code:
<!-- Device-Policies-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-Applicability-End -->
<!-- Device-Policies-OmaUri-Begin -->
@ -218,7 +220,7 @@ Root node for LAPS policies.
<!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADEncryptedPasswordHistorySize-Applicability-End -->
<!-- Device-Policies-ADEncryptedPasswordHistorySize-OmaUri-Begin -->
@ -268,7 +270,7 @@ This setting has a maximum allowed value of 12 passwords.
<!-- Device-Policies-AdministratorAccountName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-AdministratorAccountName-Applicability-End -->
<!-- Device-Policies-AdministratorAccountName-OmaUri-Begin -->
@ -313,7 +315,7 @@ Note if a custom managed local administrator account name is specified in this s
<!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADPasswordEncryptionEnabled-Applicability-End -->
<!-- Device-Policies-ADPasswordEncryptionEnabled-OmaUri-Begin -->
@ -375,7 +377,7 @@ If not specified, this setting defaults to True.
<!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-ADPasswordEncryptionPrincipal-Applicability-End -->
<!-- Device-Policies-ADPasswordEncryptionPrincipal-OmaUri-Begin -->
@ -431,7 +433,7 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-BackupDirectory-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-BackupDirectory-Applicability-End -->
<!-- Device-Policies-BackupDirectory-OmaUri-Begin -->
@ -489,7 +491,7 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-PasswordAgeDays-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordAgeDays-Applicability-End -->
<!-- Device-Policies-PasswordAgeDays-OmaUri-Begin -->
@ -537,7 +539,7 @@ This setting has a maximum allowed value of 365 days.
<!-- Device-Policies-PasswordComplexity-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordComplexity-Applicability-End -->
<!-- Device-Policies-PasswordComplexity-OmaUri-Begin -->
@ -599,7 +601,7 @@ If not specified, this setting will default to 4.
<!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordExpirationProtectionEnabled-Applicability-End -->
<!-- Device-Policies-PasswordExpirationProtectionEnabled-OmaUri-Begin -->
@ -655,7 +657,7 @@ If not specified, this setting defaults to True.
<!-- Device-Policies-PasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PasswordLength-Applicability-End -->
<!-- Device-Policies-PasswordLength-OmaUri-Begin -->
@ -702,7 +704,7 @@ This setting has a maximum allowed value of 64 characters.
<!-- Device-Policies-PostAuthenticationActions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PostAuthenticationActions-Applicability-End -->
<!-- Device-Policies-PostAuthenticationActions-OmaUri-Begin -->
@ -759,7 +761,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<!-- Device-Policies-PostAuthenticationResetDelay-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br>[10.0.25145] and later <br>Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.20348.1663] and later <br> ✅ Windows 10, version 1809 [10.0.17763.4244] and later <br> ✅ Windows 10, version 2004 [10.0.19041.2784] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1754] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.1480] and later <br> ✅ Windows Insider Preview [10.0.25145] |
<!-- Device-Policies-PostAuthenticationResetDelay-Applicability-End -->
<!-- Device-Policies-PostAuthenticationResetDelay-OmaUri-Begin -->

52
windows/client-management/mdm/passportforwork-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -34,6 +34,7 @@ The following list shows the PassportForWork configuration service provider node
- [Policies](#devicetenantidpolicies)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [EnableWindowsHelloProvisioningForSecurityKeys](#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
- [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices)
- [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12)
- [PINComplexity](#devicetenantidpoliciespincomplexity)
@ -265,6 +266,55 @@ If the user forgets their PIN, it can be changed to a new PIN using the Windows
<!-- Device-{TenantId}-Policies-EnablePinRecovery-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Begin -->
#### Device/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Applicability-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys
```
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-OmaUri-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Description-Begin -->
<!-- Description-Source-DDF -->
Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Description-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Editable-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-DFProperties-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | Disabled. |
| true | Enabled. |
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-AllowedValues-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-Examples-End -->
<!-- Device-{TenantId}-Policies-EnableWindowsHelloProvisioningForSecurityKeys-End -->
<!-- Device-{TenantId}-Policies-ExcludeSecurityDevices-Begin -->
#### Device/{TenantId}/Policies/ExcludeSecurityDevices

41
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -814,6 +814,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableWindowsHelloProvisioningForSecurityKeys</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Enable Windows Hello provisioning if users sign-in to their devices with FIDO2 security keys.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DisablePostLogonProvisioning</NodeName>
<DFProperties>

424
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/01/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -64,8 +64,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_AppXRuntime
- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md)
@ -141,7 +139,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md)
- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md)
@ -221,7 +218,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoRecycleBinIcon](policy-csp-admx-desktop.md)
- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md)
- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md)
- [NoDesktop](policy-csp-admx-desktop.md)
## ADMX_DeviceCompat
@ -542,7 +538,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md)
- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md)
- [RSoPLogging](policy-csp-admx-grouppolicy.md)
- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md)
- [FontMitigation](policy-csp-admx-grouppolicy.md)
## ADMX_Help
@ -1163,10 +1158,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## ADMX_PowerShellExecutionPolicy
- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
@ -1339,7 +1330,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md)
- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md)
- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md)
- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md)
- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md)
## ADMX_sdiageng
@ -1509,14 +1499,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoAutoTrayNotify](policy-csp-admx-startmenu.md)
- [Intellimenus](policy-csp-admx-startmenu.md)
- [NoInstrumentation](policy-csp-admx-startmenu.md)
- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md)
- [NoSetTaskbar](policy-csp-admx-startmenu.md)
- [NoChangeStartMenu](policy-csp-admx-startmenu.md)
- [NoUninstallFromStart](policy-csp-admx-startmenu.md)
- [NoTrayContextMenu](policy-csp-admx-startmenu.md)
- [NoMoreProgramsList](policy-csp-admx-startmenu.md)
- [HidePowerOptions](policy-csp-admx-startmenu.md)
- [NoRun](policy-csp-admx-startmenu.md)
## ADMX_SystemRestore
@ -1590,8 +1573,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md)
- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md)
- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md)
- [DisableNotificationCenter](policy-csp-admx-taskbar.md)
- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md)
## ADMX_tcpip
@ -1849,132 +1830,13 @@ This article lists the ADMX-backed policies in Policy CSP.
- [Travel](policy-csp-admx-userexperiencevirtualization.md)
- [Video](policy-csp-admx-userexperiencevirtualization.md)
- [Weather](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
- [Calculator](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md)
- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md)
- [Notepad](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md)
- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md)
- [Wordpad](policy-csp-admx-userexperiencevirtualization.md)
- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md)
- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md)
- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md)
- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md)
- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md)
- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md)
- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md)
- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md)
- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md)
- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md)
- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md)
- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md)
- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md)
- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md)
- [Finance](policy-csp-admx-userexperiencevirtualization.md)
- [Games](policy-csp-admx-userexperiencevirtualization.md)
- [Maps](policy-csp-admx-userexperiencevirtualization.md)
- [Music](policy-csp-admx-userexperiencevirtualization.md)
- [News](policy-csp-admx-userexperiencevirtualization.md)
- [Reader](policy-csp-admx-userexperiencevirtualization.md)
- [Sports](policy-csp-admx-userexperiencevirtualization.md)
- [Travel](policy-csp-admx-userexperiencevirtualization.md)
- [Video](policy-csp-admx-userexperiencevirtualization.md)
- [Weather](policy-csp-admx-userexperiencevirtualization.md)
## ADMX_UserProfiles
@ -2089,35 +1951,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md)
- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md)
- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md)
- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md)
- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md)
- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md)
- [ShowSleepOption](policy-csp-admx-windowsexplorer.md)
- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md)
- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md)
- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md)
- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md)
- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
## ADMX_WindowsMediaDRM
@ -2174,7 +2012,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md)
- [SoftwareSASGeneration](policy-csp-admx-winlogon.md)
- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md)
- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md)
## ADMX_Winsrv
@ -2204,7 +2041,6 @@ This article lists the ADMX-backed policies in Policy CSP.
- [NoQuietHours](policy-csp-admx-wpn.md)
- [NoToastNotification](policy-csp-admx-wpn.md)
- [NoLockScreenToastNotification](policy-csp-admx-wpn.md)
- [NoToastNotification](policy-csp-admx-wpn.md)
## AppRuntime
@ -2249,9 +2085,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## Autoplay
- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
- [TurnOffAutoPlay](policy-csp-autoplay.md)
- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
- [TurnOffAutoPlay](policy-csp-autoplay.md)
@ -2279,7 +2112,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## CredentialsUI
- [DisablePasswordReveal](policy-csp-credentialsui.md)
- [DisablePasswordReveal](policy-csp-credentialsui.md)
- [EnumerateAdministrators](policy-csp-credentialsui.md)
@ -2608,264 +2440,11 @@ This article lists the ADMX-backed policies in Policy CSP.
- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [DisableHTMLApplication](policy-csp-internetexplorer.md)
- [AddSearchProvider](policy-csp-internetexplorer.md)
- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md)
- [DisableUpdateCheck](policy-csp-internetexplorer.md)
- [DisableProxyChange](policy-csp-internetexplorer.md)
- [DisableSearchProviderChange](policy-csp-internetexplorer.md)
- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md)
- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md)
- [AllowSuggestedSites](policy-csp-internetexplorer.md)
- [DisableCompatView](policy-csp-internetexplorer.md)
- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md)
- [DisableFirstRunWizard](policy-csp-internetexplorer.md)
- [DisableFlipAheadFeature](policy-csp-internetexplorer.md)
- [DisableGeolocation](policy-csp-internetexplorer.md)
- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md)
- [NewTabDefaultPage](policy-csp-internetexplorer.md)
- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md)
- [SearchProviderList](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md)
- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md)
- [AllowActiveXFiltering](policy-csp-internetexplorer.md)
- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md)
- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md)
- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md)
- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md)
- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md)
- [DisableInternetExplorerApp](policy-csp-internetexplorer.md)
- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md)
- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md)
- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md)
- [JScriptReplacement](policy-csp-internetexplorer.md)
- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md)
- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md)
- [DisableEncryptionSupport](policy-csp-internetexplorer.md)
- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md)
- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md)
- [IncludeAllLocalSites](policy-csp-internetexplorer.md)
- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md)
- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md)
- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
- [AllowAddOnList](policy-csp-internetexplorer.md)
- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md)
- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md)
- [DisableEnclosureDownloading](policy-csp-internetexplorer.md)
- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md)
- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md)
- [AllowOneWordEntry](policy-csp-internetexplorer.md)
- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md)
- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md)
- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
- [AllowFallbackToSSL3](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md)
- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md)
- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md)
- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md)
- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md)
- [DisableConfiguringHistory](policy-csp-internetexplorer.md)
- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md)
- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md)
- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md)
- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md)
- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md)
- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md)
- [DisableCrashDetection](policy-csp-internetexplorer.md)
- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md)
- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md)
- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md)
- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md)
- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md)
- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md)
- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
- [DisableHTMLApplication](policy-csp-internetexplorer.md)
## Kerberos
@ -3024,7 +2603,6 @@ This article lists the ADMX-backed policies in Policy CSP.
## WindowsPowerShell
- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
## Related articles

75
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -40,8 +40,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md)
- [AllowGameDVR](policy-csp-applicationmanagement.md)
- [AllowSharedUserAppData](policy-csp-applicationmanagement.md)
- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md)
- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md)
- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md)
- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md)
- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md)
@ -125,59 +123,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Browser
- [AllowAddressBarDropdown](policy-csp-browser.md)
- [AllowAutofill](policy-csp-browser.md)
- [AllowCookies](policy-csp-browser.md)
- [AllowDeveloperTools](policy-csp-browser.md)
- [AllowDoNotTrack](policy-csp-browser.md)
- [AllowExtensions](policy-csp-browser.md)
- [AllowFlash](policy-csp-browser.md)
- [AllowFlashClickToRun](policy-csp-browser.md)
- [AllowFullScreenMode](policy-csp-browser.md)
- [AllowInPrivate](policy-csp-browser.md)
- [AllowMicrosoftCompatibilityList](policy-csp-browser.md)
- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md)
- [AllowPasswordManager](policy-csp-browser.md)
- [AllowPopups](policy-csp-browser.md)
- [AllowPrinting](policy-csp-browser.md)
- [AllowSavingHistory](policy-csp-browser.md)
- [AllowSearchEngineCustomization](policy-csp-browser.md)
- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md)
- [AllowSideloadingOfExtensions](policy-csp-browser.md)
- [AllowSmartScreen](policy-csp-browser.md)
- [AllowWebContentOnNewTabPage](policy-csp-browser.md)
- [AlwaysEnableBooksLibrary](policy-csp-browser.md)
- [ClearBrowsingDataOnExit](policy-csp-browser.md)
- [ConfigureAdditionalSearchEngines](policy-csp-browser.md)
- [ConfigureFavoritesBar](policy-csp-browser.md)
- [ConfigureHomeButton](policy-csp-browser.md)
- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md)
- [DisableLockdownOfStartPages](policy-csp-browser.md)
- [EnableExtendedBooksTelemetry](policy-csp-browser.md)
- [AllowTabPreloading](policy-csp-browser.md)
- [AllowPrelaunch](policy-csp-browser.md)
- [EnterpriseModeSiteList](policy-csp-browser.md)
- [PreventTurningOffRequiredExtensions](policy-csp-browser.md)
- [HomePages](policy-csp-browser.md)
- [LockdownFavorites](policy-csp-browser.md)
- [ConfigureKioskMode](policy-csp-browser.md)
- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md)
- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md)
- [PreventFirstRunPage](policy-csp-browser.md)
- [PreventCertErrorOverrides](policy-csp-browser.md)
- [PreventSmartScreenPromptOverride](policy-csp-browser.md)
- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md)
- [PreventLiveTileDataCollection](policy-csp-browser.md)
- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md)
- [ProvisionFavorites](policy-csp-browser.md)
- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md)
- [SetDefaultSearchEngine](policy-csp-browser.md)
- [SetHomeButtonURL](policy-csp-browser.md)
- [SetNewTabPageURL](policy-csp-browser.md)
- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md)
- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md)
- [UnlockHomeButton](policy-csp-browser.md)
- [UseSharedFolderForBooks](policy-csp-browser.md)
- [AllowAddressBarDropdown](policy-csp-browser.md)
- [AllowAutofill](policy-csp-browser.md)
- [AllowCookies](policy-csp-browser.md)
@ -252,6 +197,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md)
- [TLSCipherSuites](policy-csp-cryptography.md)
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md)
## Defender
@ -347,7 +294,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [EnablePerProcessDpi](policy-csp-display.md)
- [TurnOnGdiDPIScalingForApps](policy-csp-display.md)
- [TurnOffGdiDPIScalingForApps](policy-csp-display.md)
- [EnablePerProcessDpi](policy-csp-display.md)
- [EnablePerProcessDpiForApps](policy-csp-display.md)
- [DisablePerProcessDpiForApps](policy-csp-display.md)
@ -630,7 +576,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [PublishUserActivities](policy-csp-privacy.md)
- [UploadUserActivities](policy-csp-privacy.md)
- [AllowCrossDeviceClipboard](policy-csp-privacy.md)
- [DisablePrivacyExperience](policy-csp-privacy.md)
- [LetAppsActivateWithVoice](policy-csp-privacy.md)
- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md)
@ -664,7 +609,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureTaskbarCalendar](policy-csp-settings.md)
- [PageVisibilityList](policy-csp-settings.md)
- [PageVisibilityList](policy-csp-settings.md)
- [AllowOnlineTips](policy-csp-settings.md)
## SmartScreen
@ -691,18 +635,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
- [DisableControlCenter](policy-csp-start.md)
- [ForceStartSize](policy-csp-start.md)
- [DisableContextMenus](policy-csp-start.md)
- [ShowOrHideMostUsedApps](policy-csp-start.md)
- [HideFrequentlyUsedApps](policy-csp-start.md)
- [HideRecentlyAddedApps](policy-csp-start.md)
- [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md)
- [HideRecommendedPersonalizedSites](policy-csp-start.md)
- [SimplifyQuickSettings](policy-csp-start.md)
- [DisableEditingQuickSettings](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md)
## Storage
@ -721,7 +655,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowBuildPreview](policy-csp-system.md)
- [AllowFontProviders](policy-csp-system.md)
- [AllowLocation](policy-csp-system.md)
- [AllowTelemetry](policy-csp-system.md)
- [TelemetryProxy](policy-csp-system.md)
- [DisableOneDriveFileSync](policy-csp-system.md)
- [AllowWUfBCloudProcessing](policy-csp-system.md)
@ -767,7 +700,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md)
- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md)
- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
## Troubleshooting
@ -842,6 +774,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md)
- [AllowOptionalContent](policy-csp-update.md)
## UserRights

9
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/01/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -73,6 +73,12 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
- [ConfigureEllipticCurveCryptography](policy-csp-cryptography.md#configureellipticcurvecryptography)
- [ConfigureSystemCryptographyForceStrongKeyProtection](policy-csp-cryptography.md#configuresystemcryptographyforcestrongkeyprotection)
- [OverrideMinimumEnabledDTLSVersionClient](policy-csp-cryptography.md#overrideminimumenableddtlsversionclient)
- [OverrideMinimumEnabledDTLSVersionServer](policy-csp-cryptography.md#overrideminimumenableddtlsversionserver)
- [OverrideMinimumEnabledTLSVersionClient](policy-csp-cryptography.md#overrideminimumenabledtlsversionclient)
- [OverrideMinimumEnabledTLSVersionServer](policy-csp-cryptography.md#overrideminimumenabledtlsversionserver)
- [TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
## Defender
@ -313,6 +319,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md#allowautowindowsupdatedownloadovermeterednetwork)
- [AllowMUUpdateService](policy-csp-update.md#allowmuupdateservice)
- [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate)
- [AllowOptionalContent](policy-csp-update.md#allowoptionalcontent)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)

2
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage

4
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the AboveLock Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -29,7 +29,7 @@ ms.topic: reference
<!-- AllowActionCenterNotifications-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowActionCenterNotifications-Applicability-End -->
<!-- AllowActionCenterNotifications-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -435,7 +435,7 @@ Manages a Windows app's ability to share data between users who have installed t
<!-- AllowStore-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> Education <br> ❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> Education <br> ❌ Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowStore-Applicability-End -->
<!-- AllowStore-OmaUri-Begin -->
@ -487,7 +487,7 @@ This policy is deprecated.
<!-- ApplicationRestrictions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- ApplicationRestrictions-Applicability-End -->
<!-- ApplicationRestrictions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-browser.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -185,7 +185,7 @@ To verify AllowAutofill is set to 0 (not allowed):
<!-- AllowBrowser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowBrowser-Applicability-End -->
<!-- AllowBrowser-OmaUri-Begin -->
@ -2720,7 +2720,7 @@ Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseM
<!-- FirstRunURL-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- FirstRunURL-Applicability-End -->
<!-- FirstRunURL-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -259,7 +259,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i
<!-- AllowNFC-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowNFC-Applicability-End -->
<!-- AllowNFC-OmaUri-Begin -->
@ -382,7 +382,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
<!-- AllowUSBConnection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowUSBConnection-Applicability-End -->
<!-- AllowUSBConnection-OmaUri-Begin -->

304
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Cryptography Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Cryptography-Begin -->
# Policy CSP - Cryptography
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Cryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Cryptography-Editable-End -->
@ -78,6 +80,283 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- AllowFipsAlgorithmPolicy-End -->
<!-- ConfigureEllipticCurveCryptography-Begin -->
## ConfigureEllipticCurveCryptography
<!-- ConfigureEllipticCurveCryptography-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- ConfigureEllipticCurveCryptography-Applicability-End -->
<!-- ConfigureEllipticCurveCryptography-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureEllipticCurveCryptography
```
<!-- ConfigureEllipticCurveCryptography-OmaUri-End -->
<!-- ConfigureEllipticCurveCryptography-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
- If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line)
- If you disable or don't configure this policy setting, the default ECC curve order is used.
Default Curve Order
curve25519
NistP256
NistP384
To See all the curves supported on the system, Use the following command:
CertUtil.exe -DisplayEccCurve.
<!-- ConfigureEllipticCurveCryptography-Description-End -->
<!-- ConfigureEllipticCurveCryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureEllipticCurveCryptography-Editable-End -->
<!-- ConfigureEllipticCurveCryptography-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- ConfigureEllipticCurveCryptography-DFProperties-End -->
<!-- ConfigureEllipticCurveCryptography-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SSLCurveOrder |
| Friendly Name | ECC Curve Order |
| Location | Computer Configuration |
| Path | Network > SSL Configuration Settings |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
| ADMX File Name | CipherSuiteOrder.admx |
<!-- ConfigureEllipticCurveCryptography-GpMapping-End -->
<!-- ConfigureEllipticCurveCryptography-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureEllipticCurveCryptography-Examples-End -->
<!-- ConfigureEllipticCurveCryptography-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Begin -->
## ConfigureSystemCryptographyForceStrongKeyProtection
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Applicability-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/ConfigureSystemCryptographyForceStrongKeyProtection
```
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-OmaUri-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Description-Begin -->
<!-- Description-Source-DDF -->
System cryptography: Force strong key protection for user keys stored on the computer. Last write wins.
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Description-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Editable-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-DFProperties-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-AllowedValues-Begin -->
**Allowed values**:
| Flag | Description |
|:--|:--|
| 8 | An app container has accessed a medium key that isn't strongly protected. For example, a key that's for user consent only, or is password or fingerprint protected. |
| 2 (Default) | Force high protection. |
| 1 | Display the strong key user interface as needed. |
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-AllowedValues-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-Examples-End -->
<!-- ConfigureSystemCryptographyForceStrongKeyProtection-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Begin -->
## OverrideMinimumEnabledDTLSVersionClient
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledDTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionClient
```
<!-- OverrideMinimumEnabledDTLSVersionClient-OmaUri-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionClient-Description-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Editable-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionClient-Examples-End -->
<!-- OverrideMinimumEnabledDTLSVersionClient-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Begin -->
## OverrideMinimumEnabledDTLSVersionServer
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledDTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledDTLSVersionServer
```
<!-- OverrideMinimumEnabledDTLSVersionServer-OmaUri-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledDTLSVersionServer-Description-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Editable-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledDTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledDTLSVersionServer-Examples-End -->
<!-- OverrideMinimumEnabledDTLSVersionServer-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Begin -->
## OverrideMinimumEnabledTLSVersionClient
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledTLSVersionClient-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionClient
```
<!-- OverrideMinimumEnabledTLSVersionClient-OmaUri-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for client role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionClient-Description-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionClient-Editable-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionClient-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionClient-Examples-End -->
<!-- OverrideMinimumEnabledTLSVersionClient-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Begin -->
## OverrideMinimumEnabledTLSVersionServer
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- OverrideMinimumEnabledTLSVersionServer-Applicability-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/OverrideMinimumEnabledTLSVersionServer
```
<!-- OverrideMinimumEnabledTLSVersionServer-OmaUri-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Description-Begin -->
<!-- Description-Source-DDF -->
Override minimal enabled TLS version for server role. Last write wins.
<!-- OverrideMinimumEnabledTLSVersionServer-Description-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionServer-Editable-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1.0 |
<!-- OverrideMinimumEnabledTLSVersionServer-DFProperties-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- OverrideMinimumEnabledTLSVersionServer-Examples-End -->
<!-- OverrideMinimumEnabledTLSVersionServer-End -->
<!-- TLSCipherSuites-Begin -->
## TLSCipherSuites
@ -94,8 +373,14 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy.
<!-- TLSCipherSuites-OmaUri-End -->
<!-- TLSCipherSuites-Description-Begin -->
<!-- Description-Source-DDF -->
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
<!-- Description-Source-ADMX -->
This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
- If you enable this policy setting, SSL cipher suites are prioritized in the order specified.
- If you disable or don't configure this policy setting, default cipher suite order is used.
Link for all the cipherSuites: <https://go.microsoft.com/fwlink/?LinkId=517265>
<!-- TLSCipherSuites-Description-End -->
<!-- TLSCipherSuites-Editable-Begin -->
@ -112,6 +397,19 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
| Allowed Values | List (Delimiter: `;`) |
<!-- TLSCipherSuites-DFProperties-End -->
<!-- TLSCipherSuites-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SSLCipherSuiteOrder |
| Friendly Name | SSL Cipher Suite Order |
| Location | Computer Configuration |
| Path | Network > SSL Configuration Settings |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
| ADMX File Name | CipherSuiteOrder.admx |
<!-- TLSCipherSuites-GpMapping-End -->
<!-- TLSCipherSuites-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TLSCipherSuites-Examples-End -->

5
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -444,6 +444,9 @@ This policy setting allows you to manage whether or not to scan for malicious so
<!-- AllowIntrusionPreventionSystem-Begin -->
## AllowIntrusionPreventionSystem
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- AllowIntrusionPreventionSystem-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|

6
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -121,7 +121,7 @@ Allow Administrator account lockout This security setting determines whether the
<!-- AllowIdleReturnWithoutPassword-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowIdleReturnWithoutPassword-Applicability-End -->
<!-- AllowIdleReturnWithoutPassword-OmaUri-Begin -->
@ -789,7 +789,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1709 [10.0.16299] and later |
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-Applicability-End -->
<!-- MaxInactivityTimeDeviceLockWithExternalDisplay-OmaUri-Begin -->

2
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -46,6 +46,8 @@ This policy is intended to provide more security against external DMA capable de
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy requires a system reboot to take effect.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
<!-- DeviceEnumerationPolicy-Editable-End -->

8
windows/client-management/mdm/policy-csp-experience.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -107,7 +107,7 @@ Policy change takes effect immediately.
<!-- AllowCopyPaste-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowCopyPaste-Applicability-End -->
<!-- AllowCopyPaste-OmaUri-Begin -->
@ -840,7 +840,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide
<!-- AllowTaskSwitcher-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowTaskSwitcher-Applicability-End -->
<!-- AllowTaskSwitcher-OmaUri-Begin -->
@ -956,7 +956,7 @@ Specifies whether to allow app and content suggestions from third-party software
<!-- AllowVoiceRecording-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowVoiceRecording-Applicability-End -->
<!-- AllowVoiceRecording-OmaUri-Begin -->

298
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MixedReality-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices.
@ -538,6 +540,153 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
<!-- DisallowNetworkConnectivityPassivePolling-End -->
<!-- EnableStartMenuSingleHandGesture-Begin -->
## EnableStartMenuSingleHandGesture
<!-- EnableStartMenuSingleHandGesture-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuSingleHandGesture-Applicability-End -->
<!-- EnableStartMenuSingleHandGesture-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuSingleHandGesture
```
<!-- EnableStartMenuSingleHandGesture-OmaUri-End -->
<!-- EnableStartMenuSingleHandGesture-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu is enabled or not.
<!-- EnableStartMenuSingleHandGesture-Description-End -->
<!-- EnableStartMenuSingleHandGesture-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuSingleHandGesture-Editable-End -->
<!-- EnableStartMenuSingleHandGesture-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuSingleHandGesture-DFProperties-End -->
<!-- EnableStartMenuSingleHandGesture-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Don't allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
| 1 (Default) | Allow pinching your thumb and index finger, while looking at the Start icon on your wrist, to open the Start menu. |
<!-- EnableStartMenuSingleHandGesture-AllowedValues-End -->
<!-- EnableStartMenuSingleHandGesture-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuSingleHandGesture-Examples-End -->
<!-- EnableStartMenuSingleHandGesture-End -->
<!-- EnableStartMenuVoiceCommand-Begin -->
## EnableStartMenuVoiceCommand
<!-- EnableStartMenuVoiceCommand-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuVoiceCommand-Applicability-End -->
<!-- EnableStartMenuVoiceCommand-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuVoiceCommand
```
<!-- EnableStartMenuVoiceCommand-OmaUri-End -->
<!-- EnableStartMenuVoiceCommand-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if using voice commands to open the Start menu is enabled or not.
<!-- EnableStartMenuVoiceCommand-Description-End -->
<!-- EnableStartMenuVoiceCommand-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuVoiceCommand-Editable-End -->
<!-- EnableStartMenuVoiceCommand-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuVoiceCommand-DFProperties-End -->
<!-- EnableStartMenuVoiceCommand-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Using voice commands to open the Start menu is disabled. |
| 1 (Default) | Using voice commands to open the Start menu is enabled. |
<!-- EnableStartMenuVoiceCommand-AllowedValues-End -->
<!-- EnableStartMenuVoiceCommand-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuVoiceCommand-Examples-End -->
<!-- EnableStartMenuVoiceCommand-End -->
<!-- EnableStartMenuWristTap-Begin -->
## EnableStartMenuWristTap
<!-- EnableStartMenuWristTap-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- EnableStartMenuWristTap-Applicability-End -->
<!-- EnableStartMenuWristTap-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/EnableStartMenuWristTap
```
<!-- EnableStartMenuWristTap-OmaUri-End -->
<!-- EnableStartMenuWristTap-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if tapping the Star icon on your wrist to open the Start menu is enabled or not.
<!-- EnableStartMenuWristTap-Description-End -->
<!-- EnableStartMenuWristTap-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableStartMenuWristTap-Editable-End -->
<!-- EnableStartMenuWristTap-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- EnableStartMenuWristTap-DFProperties-End -->
<!-- EnableStartMenuWristTap-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Don't allow tapping the Start icon on your wrist to open the Start menu. |
| 1 (Default) | Allow tapping the Start icon on your wrist to open the Start menu. |
<!-- EnableStartMenuWristTap-AllowedValues-End -->
<!-- EnableStartMenuWristTap-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableStartMenuWristTap-Examples-End -->
<!-- EnableStartMenuWristTap-End -->
<!-- EyeTrackingCalibrationPrompt-Begin -->
## EyeTrackingCalibrationPrompt
@ -852,6 +1001,153 @@ The following example XML string shows the value to enable this policy:
<!-- NtpClientEnabled-End -->
<!-- PreferLogonAsOtherUser-Begin -->
## PreferLogonAsOtherUser
<!-- PreferLogonAsOtherUser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- PreferLogonAsOtherUser-Applicability-End -->
<!-- PreferLogonAsOtherUser-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/PreferLogonAsOtherUser
```
<!-- PreferLogonAsOtherUser-OmaUri-End -->
<!-- PreferLogonAsOtherUser-Description-Begin -->
<!-- Description-Source-DDF -->
This policy configures whether the Sign-In App should prefer showing Other User panel to user.
<!-- PreferLogonAsOtherUser-Description-End -->
<!-- PreferLogonAsOtherUser-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- PreferLogonAsOtherUser-Editable-End -->
<!-- PreferLogonAsOtherUser-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- PreferLogonAsOtherUser-DFProperties-End -->
<!-- PreferLogonAsOtherUser-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- PreferLogonAsOtherUser-AllowedValues-End -->
<!-- PreferLogonAsOtherUser-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- PreferLogonAsOtherUser-Examples-End -->
<!-- PreferLogonAsOtherUser-End -->
<!-- RequireStartIconHold-Begin -->
## RequireStartIconHold
<!-- RequireStartIconHold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- RequireStartIconHold-Applicability-End -->
<!-- RequireStartIconHold-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconHold
```
<!-- RequireStartIconHold-OmaUri-End -->
<!-- RequireStartIconHold-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if it's require that the Start icon to be pressed for 2 seconds to open the Start menu.
<!-- RequireStartIconHold-Description-End -->
<!-- RequireStartIconHold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireStartIconHold-Editable-End -->
<!-- RequireStartIconHold-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireStartIconHold-DFProperties-End -->
<!-- RequireStartIconHold-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Don't require the Start icon to be pressed for 2 seconds. |
| 1 | Require the Start icon to be pressed for 2 seconds. |
<!-- RequireStartIconHold-AllowedValues-End -->
<!-- RequireStartIconHold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireStartIconHold-Examples-End -->
<!-- RequireStartIconHold-End -->
<!-- RequireStartIconVisible-Begin -->
## RequireStartIconVisible
<!-- RequireStartIconVisible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- RequireStartIconVisible-Applicability-End -->
<!-- RequireStartIconVisible-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/RequireStartIconVisible
```
<!-- RequireStartIconVisible-OmaUri-End -->
<!-- RequireStartIconVisible-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls if it's required that the Start icon to be looked at when you tap it to open the Start menu.
<!-- RequireStartIconVisible-Description-End -->
<!-- RequireStartIconVisible-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RequireStartIconVisible-Editable-End -->
<!-- RequireStartIconVisible-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RequireStartIconVisible-DFProperties-End -->
<!-- RequireStartIconVisible-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Don't require the Start icon to be looked at when you tap it. |
| 1 | Require the Start icon to be looked at when you tap it. |
<!-- RequireStartIconVisible-AllowedValues-End -->
<!-- RequireStartIconVisible-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequireStartIconVisible-Examples-End -->
<!-- RequireStartIconVisible-End -->
<!-- SkipCalibrationDuringSetup-Begin -->
## SkipCalibrationDuringSetup

4
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -4,7 +4,7 @@ description: Learn more about the NetworkListManager Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -37,7 +37,7 @@ ms.topic: reference
<!-- AllowedTlsAuthenticationEndpoints-Description-Begin -->
<!-- Description-Source-DDF -->
List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
List of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
<!-- AllowedTlsAuthenticationEndpoints-Description-End -->
<!-- AllowedTlsAuthenticationEndpoints-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- Privacy-Begin -->
# Policy CSP - Privacy
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Privacy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Privacy-Editable-End -->
@ -2934,7 +2936,7 @@ If an app is open when this Group Policy object is applied on a device, employee
<!-- LetAppsAccessHumanPresence-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence-Applicability-End -->
<!-- LetAppsAccessHumanPresence-OmaUri-Begin -->
@ -2994,7 +2996,7 @@ This policy setting specifies whether Windows apps can access the human presence
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_ForceAllowTheseApps-OmaUri-Begin -->
@ -3044,7 +3046,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_ForceDenyTheseApps-OmaUri-Begin -->
@ -3094,7 +3096,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ [10.0.25000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview [10.0.25000] |
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-Applicability-End -->
<!-- LetAppsAccessHumanPresence_UserInControlOfTheseApps-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-search.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1123,7 +1123,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!-- SafeSearchPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- SafeSearchPermissions-Applicability-End -->
<!-- SafeSearchPermissions-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-security.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Security Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -78,7 +78,7 @@ Specifies whether to allow the runtime configuration agent to install provisioni
<!-- AllowManualRootCertificateInstallation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowManualRootCertificateInstallation-Applicability-End -->
<!-- AllowManualRootCertificateInstallation-OmaUri-Begin -->
@ -179,7 +179,7 @@ Specifies whether to allow the runtime configuration agent to remove provisionin
<!-- AntiTheftMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1507 [10.0.10240] and later |
<!-- AntiTheftMode-Applicability-End -->
<!-- AntiTheftMode-OmaUri-Begin -->

2
windows/client-management/mdm/policy-csp-start.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/07/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage

4
windows/client-management/mdm/policy-csp-timelanguagesettings.md
View File

@ -4,7 +4,7 @@ description: Learn more about the TimeLanguageSettings Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -29,7 +29,7 @@ ms.topic: reference
<!-- AllowSet24HourClock-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> Windows SE | ✅ Windows 10, version 1703 [10.0.15063] and later |
<!-- AllowSet24HourClock-Applicability-End -->
<!-- AllowSet24HourClock-OmaUri-Begin -->

396
windows/client-management/mdm/policy-csp-update.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/11/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -25,6 +25,7 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AllowOptionalContent](#allowoptionalcontent)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@ -106,6 +107,65 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
<!-- AllowOptionalContent-Begin -->
### AllowOptionalContent
<!-- AllowOptionalContent-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows Insider Preview |
<!-- AllowOptionalContent-Applicability-End -->
<!-- AllowOptionalContent-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent
```
<!-- AllowOptionalContent-OmaUri-End -->
<!-- AllowOptionalContent-Description-Begin -->
<!-- Description-Source-DDF -->
This policy enables devices to get offered optional updates and users interact with the 'Get the latest updates as soon as they're available' toggle on the Windows Update Settings page.
<!-- AllowOptionalContent-Description-End -->
<!-- AllowOptionalContent-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowOptionalContent-Editable-End -->
<!-- AllowOptionalContent-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowOptionalContent-DFProperties-End -->
<!-- AllowOptionalContent-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Device doesn't receive optional updates. |
| 1 | Device receives optional updates and user can install from WU Settings page. |
| 2 | Device receives optional updates and install them as soon as they're available. |
<!-- AllowOptionalContent-AllowedValues-End -->
<!-- AllowOptionalContent-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
<!-- AllowOptionalContent-GpMapping-End -->
<!-- AllowOptionalContent-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowOptionalContent-Examples-End -->
<!-- AllowOptionalContent-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@ -393,6 +453,7 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you
| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). |
| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). |
| 64 | {0x40} - Release Preview of Quality Updates Only. |
| 128 | {0x80} - Canary Channel. |
<!-- BranchReadinessLevel-AllowedValues-End -->
<!-- BranchReadinessLevel-GpMapping-Begin -->
@ -2079,41 +2140,8 @@ Note that the default max active hours range is 18 hours from the active hours s
<!-- AllowAutoUpdate-OmaUri-End -->
<!-- AllowAutoUpdate-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Important. This option should be used only for systems under regulatory compliance, as you won't get security updates as well. If the policy isn't configured, end-users get the default behavior (Auto install and restart).
<!-- AllowAutoUpdate-Description-End -->
<!-- AllowAutoUpdate-Editable-Begin -->
@ -2245,41 +2273,8 @@ This policy is accessible through the Update setting in the user interface or Gr
<!-- AllowMUUpdateService-OmaUri-End -->
<!-- AllowMUUpdateService-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
<!-- AllowMUUpdateService-Description-End -->
<!-- AllowMUUpdateService-Editable-Begin -->
@ -2824,41 +2819,8 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
<!-- ScheduledInstallDay-OmaUri-End -->
<!-- ScheduledInstallDay-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the day of the update installation. The data type is a integer.
<!-- ScheduledInstallDay-Description-End -->
<!-- ScheduledInstallDay-Editable-Begin -->
@ -2928,41 +2890,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
<!-- ScheduledInstallEveryWeek-OmaUri-End -->
<!-- ScheduledInstallEveryWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the every week. Value type is integer.
<!-- ScheduledInstallEveryWeek-Description-End -->
<!-- ScheduledInstallEveryWeek-Editable-Begin -->
@ -3026,41 +2955,8 @@ If the status is set to Not Configured, use of Automatic Updates isn't specified
<!-- ScheduledInstallFirstWeek-OmaUri-End -->
<!-- ScheduledInstallFirstWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer.
<!-- ScheduledInstallFirstWeek-Description-End -->
<!-- ScheduledInstallFirstWeek-Editable-Begin -->
@ -3133,41 +3029,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallFourthWeek-OmaUri-End -->
<!-- ScheduledInstallFourthWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer.
<!-- ScheduledInstallFourthWeek-Description-End -->
<!-- ScheduledInstallFourthWeek-Editable-Begin -->
@ -3240,41 +3103,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallSecondWeek-OmaUri-End -->
<!-- ScheduledInstallSecondWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer.
<!-- ScheduledInstallSecondWeek-Description-End -->
<!-- ScheduledInstallSecondWeek-Editable-Begin -->
@ -3347,41 +3177,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallThirdWeek-OmaUri-End -->
<!-- ScheduledInstallThirdWeek-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer.
<!-- ScheduledInstallThirdWeek-Description-End -->
<!-- ScheduledInstallThirdWeek-Editable-Begin -->
@ -3454,41 +3251,8 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallTime-OmaUri-End -->
<!-- ScheduledInstallTime-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
> [!NOTE]
> This policy doesn't apply to %WINDOWS_ARM_VERSION_6_2%.
This setting lets you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
2 = Notify before downloading and installing any updates.
When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates.
3 = (Default setting) Download the updates automatically and notify when they're ready to be installed.
Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them.
4 = Automatically download updates and install them on the schedule specified below.
When "Automatic" is selected as the scheduled install time, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10, version 1809 and higher)
Specify the schedule using the options in the Group Policy Setting. For version 1709 and above, there is an additional choice of limiting updating to a weekly, bi-weekly, or monthly occurrence. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart).
On %WINDOWS_CLIENT_VERSION_6_2% and later, you can set updates to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer isn't in use and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental data loss.
5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option hasn't been carried over to any Win 10 Versions)
With this option, local administrators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates.
7 = Notify for install and notify for restart. (Windows Server only)
With this option from Windows Server 2016, applicable only to Server SKU devices, local administrators will be allowed to use Windows Update to proceed with installations or reboots manually.
If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start.
If the status is set to Not Configured, use of Automatic Updates isn't specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
<!-- Description-Source-DDF -->
the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
<!-- ScheduledInstallTime-Description-End -->
<!-- ScheduledInstallTime-Editable-Begin -->

10
windows/client-management/mdm/vpnv2-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/06/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- Device-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- Device-{ProfileName}-EdpModeId-Description-End -->
<!-- Device-{ProfileName}-EdpModeId-Editable-Begin -->
@ -3119,7 +3119,7 @@ Type of routing policy.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- Device-{ProfileName}-NativeProfile-Servers-Editable-Begin -->
@ -6032,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- User-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- User-{ProfileName}-EdpModeId-Description-End -->
<!-- User-{ProfileName}-EdpModeId-Editable-Begin -->
@ -7359,7 +7359,7 @@ Type of routing policy.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- User-{ProfileName}-NativeProfile-Servers-Editable-Begin -->

26
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 05/10/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- WindowsLicensing-Begin -->
# WindowsLicensing CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsLicensing-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The WindowsLicensing configuration service provider is designed for licensing related management scenarios.
@ -161,7 +163,7 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi
<!-- Device-DeviceLicensingService-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-Applicability-End -->
<!-- Device-DeviceLicensingService-OmaUri-Begin -->
@ -200,7 +202,7 @@ Device Based Subscription.
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingLastError-OmaUri-Begin -->
@ -239,7 +241,7 @@ Returns the last error code of Refresh/Remove Device License operation. Value wo
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingLastErrorDescription-OmaUri-Begin -->
@ -278,7 +280,7 @@ Returns last error description from Device Licensing. Value would be empty, if e
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-Applicability-End -->
<!-- Device-DeviceLicensingService-DeviceLicensingStatus-OmaUri-Begin -->
@ -317,7 +319,7 @@ Returns the status of Refresh/Remove Device License operation.
<!-- Device-DeviceLicensingService-LicenseType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 11, version 21H2 [10.0.22000.1165] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-DeviceLicensingService-LicenseType-Applicability-End -->
<!-- Device-DeviceLicensingService-LicenseType-OmaUri-Begin -->
@ -997,7 +999,7 @@ Returns the status of the subscription.
<!-- Device-Subscriptions-DisableSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-DisableSubscription-Applicability-End -->
<!-- Device-Subscriptions-DisableSubscription-OmaUri-Begin -->
@ -1045,7 +1047,7 @@ Disable or Enable subscription activation on a device.
<!-- Device-Subscriptions-RemoveSubscription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-RemoveSubscription-Applicability-End -->
<!-- Device-Subscriptions-RemoveSubscription-OmaUri-Begin -->
@ -1084,7 +1086,7 @@ Remove subscription uninstall subscription license. It also reset subscription t
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionLastError-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastError-OmaUri-Begin -->
@ -1123,7 +1125,7 @@ Error code of last subscription operation. Value would be empty(0) in absence of
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionLastErrorDescription-OmaUri-Begin -->
@ -1162,7 +1164,7 @@ Error description of last subscription operation. Value would be empty, if error
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionStatus-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionStatus-OmaUri-Begin -->
@ -1201,7 +1203,7 @@ Status of last subscription operation.
<!-- Device-Subscriptions-SubscriptionType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows 10, version 1607 [10.0.14393] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE | ✅ Windows Insider Preview |
<!-- Device-Subscriptions-SubscriptionType-Applicability-End -->
<!-- Device-Subscriptions-SubscriptionType-OmaUri-Begin -->

28
windows/client-management/mdm/windowslicensing-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 08/02/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -342,6 +342,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
@ -373,6 +377,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
@ -394,6 +402,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
@ -415,6 +427,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
@ -436,6 +452,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
@ -467,6 +487,10 @@ The following XML file contains the device description framework (DDF) for the W
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
</Node>
@ -600,7 +624,7 @@ The following XML file contains the device description framework (DDF) for the W
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>10.0.22621, 10.0.22000.1165</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>

2
windows/deployment/update/wufb-reports-do.md
View File

@ -95,7 +95,7 @@ Each calculated values used in the Delivery Optimization report are listed below
In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example:
```powershell
$text = "<myOriginalGroupID>" ;
$text = "<myOriginalGroupID>`0" ; # The `0 null terminator is required
$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64"
```

6
windows/deployment/windows-autopatch/TOC.yml
View File

@ -76,7 +76,7 @@
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- name: Windows quality and feature update reports
- name: Windows quality and feature update reports overview
href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
items:
- name: Windows quality update reports
@ -107,8 +107,8 @@
href: operate/windows-autopatch-manage-driver-and-firmware-updates.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
- name: Deregister a device
href: operate/windows-autopatch-deregister-devices.md
- name: Exclude a device
href: operate/windows-autopatch-exclude-device.md
- name: Unenroll your tenant
href: operate/windows-autopatch-unenroll-tenant.md
- name: References

51
windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
View File

@ -1,51 +0,0 @@
---
title: Deregister a device
description: This article explains how to deregister devices
ms.date: 06/15/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
ms.collection:
- tier2
---
# Deregister a device
To avoid end-user disruption, device deregistration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
**To deregister a device:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**.
> [!WARNING]
> Removing devices from the Windows Autopatch Device Registration Azure AD group doesn't deregister devices from the Windows Autopatch service.
## Excluded devices
When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to reregister the device into the service again, since the deregistration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group.
> [!IMPORTANT]
> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
If you want to reregister a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the deregistration process. After the Windows Autopatch Service Engineering Team removes the flag, you can reregister a device or a group of devices.
## Hiding unregistered devices
You can hide unregistered devices you don't expect to be remediated anytime soon.
**To hide unregistered devices:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
1. Unselect the **Registration failed** status checkbox from the list.

56
windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Exclude a device
description: This article explains how to exclude a device from the Windows Autopatch service
ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
ms.collection:
- tier2
---
# Exclude a device
To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups.
> [!IMPORTANT]
> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
**To exclude a device:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In either the **Ready** or **Not ready** tab, select the device(s) you want to exclude.
1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**.
> [!WARNING]
> Excluding devices from the Windows Autopatch Device Registration group, or any other Azure AD group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service.
## Only view excluded devices
You can view the excluded devices in the **Not registered** tab to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service.
**To view only excluded devices:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not registered** tab, select **Excluded** from the filter list. Leave all other filter options unselected.
## Restore a device or multiple devices previously excluded
**To restore a device or multiple devices previously excluded:**
1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not registered** tab, select the device(s) you want to restore.
1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Restore device**.

9
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
View File

@ -21,9 +21,10 @@ ms.collection:
The Windows quality reports provide you with information about:
Quality update device readiness
Device update health
Device update alerts
- Quality update device readiness
- Device update health
- Device update alerts
Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
The Windows quality report types are organized into the following focus areas:
@ -106,4 +107,4 @@ Within each 24-hour reporting period, devices that are Not Ready are reevaluated
## Data export
Select**Export devices**to export data for each report type. Only selected columns will be exported.
Select**Export devices**to export data for each report type. Only selected columns are exported.

16
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take.
ms.date: 07/27/2022
ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@ -25,7 +25,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d
Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:
- Remove Windows Autopatch access to your tenant.
- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices).
- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md).
- Delete all data that we've stored in the Windows Autopatch data storage.
> [!NOTE]
@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| Responsibility | Description |
| ----- | ----- |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). |
| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
## Your responsibilities after unenrolling your tenant
@ -50,10 +50,10 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
**To unenroll from Windows Autopatch:**
1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service.
1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
1. [Submit a support request](../operate/windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
1. The Windows Autopatch Service Engineering Team communicates with your IT Administrator to confirm your intent to unenroll from the service.
1. You have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete.
1. The Windows Autopatch Service Engineering Team proceeds with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
1. The Windows Autopatch Service Engineering Team informs you when unenrollment is complete.
1. Youre responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).

4
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 07/11/2023
ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -64,7 +64,7 @@ Microsoft remains committed to the security of your data and the [accessibility]
| ----- | ----- |
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li><li>[Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</ul> |
| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li><li>[Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)</li></ul> |
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-groups-update-management.md)</li><li>[Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-groups-update-management.md)</li><li>[Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Exclude a device](../operate/windows-autopatch-exclude-device.md)</li></ul>
| References | This section includes the following articles:<ul><li>[Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)<li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li></ul> |
### Have feedback or would like to start a discussion?

8
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 07/31/2023
ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -86,10 +86,10 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li></ul> | :heavy_check_mark: | :x: |
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li></ul>
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: |
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
| Highlight Windows Autopatch management alerts that require customer action<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :x: | :heavy_check_mark: |

3
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 08/01/2023
ms.date: 08/08/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -27,6 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature |
| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
## July 2023

34
windows/hub/breadcrumb/toc.yml
View File

@ -37,29 +37,31 @@ items:
tocHref: /windows/security/
topicHref: /windows/security/
items:
- name: Hardware security
tocHref: /windows/security/hardware-security/
topicHref: /windows/security/hardware-security/
- name: Operating system security
tocHref: /windows/security/operating-system-security/
topicHref: /windows/security/operating-system-security/
- name: Identity protection
tocHref: /windows/security/identity-protection/
topicHref: /windows/security/identity-protection/
- name: Application security
tocHref: /windows/security/application-security/
topicHref: /windows/security/application-security/
items:
- name: Windows Hello for Business
tocHref: /windows/security/identity-protection/hello-for-business/
topicHref: /windows/security/identity-protection/hello-for-business
- name: Application Control for Windows
tocHref: /windows/security/application-security/application-control/windows-defender-application-control/
topicHref: /windows/security/application-security/application-control/windows-defender-application-control/
- name: Microsoft Defender Application Guard
tocHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/
topicHref: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
- name: Security foundations
tocHref: /windows/security/security-foundations/
topicHref: /windows/security/security-foundations/
- name: Security auditing
tocHref: /windows/security/threat-protection/auditing/
topicHref: /windows/security/threat-protection/auditing/security-auditing-overview
- name: Microsoft Defender Application Guard
tocHref: /windows/security/threat-protection/microsoft-defender-application-guard/
topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
- name: Security policy settings
tocHref: /windows/security/threat-protection/security-policy-settings/
topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
- name: Application Control for Windows
tocHref: /windows/security/threat-protection/windows-defender-application-control/
topicHref: /windows/security/threat-protection/windows-defender-application-control/
- name: OS
tocHref: /windows/security/operating-system-security/
topicHref: /windows/security/operating-system-security/
- name: Windows Defender Firewall
tocHref: /windows/security/operating-system-security/network-security/windows-firewall/
topicHref: /windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security

2
windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
View File

@ -32,7 +32,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | No |
| **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
| **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |

92
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,11 +1,8 @@
---
ms.date: 12/05/2022
ms.date: 08/03/2023
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: conceptual
ms.collection:
- highpri
- tier2
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@ -20,7 +17,7 @@ This article describes the default local user accounts for Windows operating sys
## About local user accounts
Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
Local user accounts are defined locally on a device, and can be assigned rights and permissions on the device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
## Default local user accounts
@ -30,9 +27,7 @@ Default local user accounts are used to manage access to the local device's reso
Default local user accounts are described in the following sections. Expand each section for more information.
<br>
<details>
<summary><b>Administrator</b></summary>
### Administrator
The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
@ -44,13 +39,13 @@ Windows setup disables the built-in Administrator account and creates another lo
Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
**Account group membership**
#### Account group membership
By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device.
The Administrator account can't be removed from the Administrators group.
**Security considerations**
#### Security considerations
Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
@ -62,50 +57,41 @@ Group Policy can be used to control the use of the local Administrators group au
> [!IMPORTANT]
>
> - Blank passwords are not allowed.
>
> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
> - Blank passwords are not allowed
> - Even when the Administrator account is disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it's disabled.
</details>
<br>
<details>
<summary><b>Guest</b></summary>
### Guest
The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary.
**Account group membership**
#### Guest account group membership
By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device.
By default, the Guest account is the only member of the default Guests group `SID S-1-5-32-546`, which lets a user sign in to a device.
**Security considerations**
#### Guest account security considerations
When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers.
In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.
</details>
<br>
<details>
<summary><b>HelpAssistant</b></summary>
### HelpAssistant
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
**Security considerations**
#### HelpAssistant account security considerations
The SIDs that pertain to the default HelpAssistant account include:
- SID: `S-1-5-<domain>-13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services.
- SID: `S-1-5-<domain>-14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
- SID: `S-1-5-<domain>-13`, display name *Terminal Server User*. This group includes all users who sign in to a server with Remote Desktop Services enabled.
- SID: `S-1-5-<domain>-14`, display name *Remote Interactive Logon*. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used.
For details about the HelpAssistant account attributes, see the following table.
**HelpAssistant account attributes**
#### HelpAssistant account attributes
|Attribute|Value|
|--- |--- |
@ -118,15 +104,11 @@ For details about the HelpAssistant account attributes, see the following table.
|Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No|
</details>
<br>
<details>
<summary><b>DefaultAccount</b></summary>
### DefaultAccount
The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience.
The DSMA is disabled by default on the desktop editions and on the Server operating systems with the desktop experience.
The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\<ComputerIdentifier>-503`.
@ -135,6 +117,7 @@ The DSMA is a member of the well-known group **System Managed Accounts Group**,
The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
#### How Windows uses the DefaultAccount
From a permission perspective, the DefaultAccount is a standard user account.
The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps).
MUMA apps run all the time and react to users signing in and signing out of the devices.
@ -158,14 +141,10 @@ If the domain was created with domain controllers running an earlier version of
#### Recommendations for managing the Default Account (DSMA)
Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
</details>
## Default local system accounts
<br>
<details>
<summary><b>SYSTEM</b></summary>
### SYSTEM
The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
@ -174,19 +153,13 @@ On the other hand, the SYSTEM account does appear on an NTFS file system volume
> [!NOTE]
> To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
</details>
<br>
<details>
<summary><b>NETWORK SERVICE </b></summary>
### NETWORK SERVICE
The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
</details>
<br>
<details>
<summary><b>LOCAL SERVICE</b></summary>
The *NETWORK SERVICE* account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
</details>
### LOCAL SERVICE
The *LOCAL SERVICE* account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
## How to manage local user accounts
@ -203,17 +176,15 @@ You can also manage local users by using NET.EXE USER and manage local groups by
### Restrict and protect local accounts with administrative rights
An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement".
An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called *lateral movement*.
The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
The other approaches that can be used to restrict and protect user accounts with administrative rights include:
- Enforce local account restrictions for remote access.
- Deny network logon to all local Administrator accounts.
- Create unique passwords for local accounts with administrative rights.
- Enforce local account restrictions for remote access
- Deny network logon to all local Administrator accounts
- Create unique passwords for local accounts with administrative rights
Each of these approaches is described in the following sections.
@ -224,7 +195,7 @@ Each of these approaches is described in the following sections.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
@ -234,8 +205,6 @@ For more information about UAC, see [User Account Control](/windows/access-prote
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
<!-- MicrosoftDocs/windows-itpro-docs/issues/7146 start line 254-->
|No.|Setting|Detailed Description|
|--- |--- |--- |
||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
@ -286,6 +255,7 @@ The following table shows the Group Policy and registry settings that are used t
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers
### Deny network logon to all local Administrator accounts
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.

2
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -8,7 +8,7 @@ metadata:
- highpri
- tier1
ms.topic: faq
ms.date: 03/09/2023
ms.date: 08/03/2023
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.

6
windows/security/includes/sections/security-foundations.md
View File

@ -9,9 +9,9 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **Microsoft Security Development Lifecycle (SDL)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
| **OneFuzz service** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows. |
| **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
| **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released. |
| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quickly fix the issues before releasing the final Windows. |
## Certification

290
windows/security/index.yml
View File

@ -1,162 +1,168 @@
### YamlMime:Landing
### YamlMime:Hub
title: Windows security
summary: Built with Zero Trust principles at the core to safeguard data and access anywhere, keeping you protected and productive.
title: Windows client security documentation
summary: Learn how to secure Windows clients for your organization.
brand: windows
metadata:
title: Windows security
description: Learn about Windows security technologies and how to use them to protect your data and devices.
ms.topic: landing-page
ms.topic: hub-page
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
ms.date: 12/19/2022
manager: aaroncz
ms.date: 07/28/2023
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
highlightedContent:
items:
- title: Get started with Windows security
itemType: get-started
url: introduction.md
- title: Windows 11, version 22H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-22H2
- title: Windows 11, version 22H2 group policy settings reference
itemType: download
url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
- title: Security features licensing and edition requirements
itemType: overview
url: /windows/security/licensing-and-edition-requirements
productDirectory:
title: Get started
items:
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Zero Trust and Windows
linkLists:
- linkListType: overview
links:
- text: Overview
url: zero-trust-windows-device-health.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Hardware security
linkLists:
- linkListType: overview
imageSrc: /media/common/i_usb.svg
links:
- text: Overview
url: hardware.md
- linkListType: concept
- url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
text: Trusted Platform Module
- url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
text: Microsoft Pluton
- url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
text: Windows Defender System Guard
- url: /windows-hardware/design/device-experiences/oem-vbs
text: Virtualization-based security (VBS)
- url: /windows-hardware/design/device-experiences/oem-highly-secure-11
text: Secured-core PC
- url: /windows/security/hardware-security
text: Learn more about hardware security >
- title: OS security
imageSrc: /media/common/i_threat-protection.svg
links:
- text: Trusted Platform Module
url: hardware-security/tpm/trusted-platform-module-top-node.md
- text: Windows Defender System Guard firmware protection
url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
- text: System Guard Secure Launch and SMM protection enablement
url: hardware-security/system-guard-secure-launch-and-smm-protection.md
- text: Virtualization-based protection of code integrity
url: hardware-security/enable-virtualization-based-protection-of-code-integrity.md
- text: Kernel DMA Protection
url: hardware-security/kernel-dma-protection-for-thunderbolt.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Operating system security
linkLists:
- linkListType: overview
- url: /windows/security/operating-system-security
text: Trusted boot
- url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
text: Windows security settings
- url: /windows/security/operating-system-security/data-protection/bitlocker/
text: BitLocker
- url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
text: Windows security baselines
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
text: MMicrosoft Defender SmartScreen
- url: /windows/security/operating-system-security
text: Learn more about OS security >
- title: Identity protection
imageSrc: /media/common/i_identity-protection.svg
links:
- text: Overview
url: operating-system-security/index.md
- linkListType: concept
links:
- text: Trusted boot
url: operating-system-security\system-security\trusted-boot.md
- text: Windows security baselines
url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide
url: operating-system-security/network-security/vpn/vpn-guide.md
- text: Windows Defender Firewall
url: operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md
- text: Virus & threat protection
url: threat-protection/index.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- url: /windows/security/identity-protection/hello-for-business
text: Windows Hello for Business
- url: /windows/security/identity-protection/credential-guard
text: Windows Defender Credential Guard
- url: /windows-server/identity/laps/laps-overview
text: Windows LAPS (Local Administrator Password Solution)
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
text: Enhanced phishing protection with SmartScreen
- url: /education/windows/federated-sign-in
text: Federated sign-in (EDU)
- url: /windows/security/identity-protection
text: Learn more about identity protection >
- title: Application security
linkLists:
- linkListType: overview
imageSrc: /media/common/i_queries.svg
links:
- text: Overview
url: application-security/index.md
- linkListType: concept
links:
- text: Application Control and virtualization-based protection
url: application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- text: Application Control
url: application-security/application-control/windows-defender-application-control/wdac.md
- text: Application Guard
url: application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
- text: Windows Sandbox
url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md
- text: Microsoft Defender SmartScreen
url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md
- text: S/MIME for Windows
url: operating-system-security/data-protection/configure-s-mime.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: User security and secured identity
linkLists:
- linkListType: overview
links:
- text: Overview
url: identity.md
- linkListType: concept
links:
- text: Windows Hello for Business
url: identity-protection/hello-for-business/index.md
- text: Protect domain credentials
url: identity-protection/credential-guard/credential-guard.md
- text: Windows Defender Credential Guard
url: identity-protection/credential-guard/credential-guard.md
- text: Lost or forgotten passwords
url: identity-protection/password-support-policy.md
- text: Access control
url: identity-protection/access-control/access-control.md
- text: Smart cards
url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Cloud services
linkLists:
- linkListType: concept
links:
- text: Mobile device management
url: /windows/client-management/mdm/
- text: Azure Active Directory
url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory
- text: Your Microsoft Account
url: identity-protection/access-control/microsoft-accounts.md
- text: OneDrive
url: /onedrive/onedrive
- text: Family safety
url: operating-system-security\system-security\windows-defender-security-center\wdsc-family-options.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- url: /windows/security/application-security/application-control/windows-defender-application-control/
text: Windows Defender Application Control (WDAC)
- url: /windows/security/application-security/application-control/user-account-control
text: User Account Control (UAC)
- url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
text: Microsoft vulnerable driver blocklist
- url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
text: Microsoft Defender Application Guard (MDAG)
- url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
text: Windows Sandbox
- url: /windows/security/application-security
text: Learn more about application security >
- title: Security foundations
linkLists:
- linkListType: overview
imageSrc: /media/common/i_build.svg
links:
- text: Overview
url: security-foundations/index.md
- linkListType: reference
- url: /windows/security/security-foundations/certification/fips-140-validation
text: FIPS 140-2 validation
- url: /windows/security/security-foundations/certification/windows-platform-common-criteria
text: Common Criteria Certifications
- url: /windows/security/security-foundations/msft-security-dev-lifecycle
text: Microsoft Security Development Lifecycle (SDL)
- url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
text: Microsoft Windows Insider Preview bounty program
- url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
text: OneFuzz service
- url: /windows/security/security-foundations
text: Learn more about security foundations >
- title: Cloud security
imageSrc: /media/common/i_cloud-security.svg
links:
- text: Microsoft Security Development Lifecycle
url: threat-protection/msft-security-dev-lifecycle.md
- text: Microsoft Bug Bounty
url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program
- text: Common Criteria Certifications
url: threat-protection/windows-platform-common-criteria.md
- text: Federal Information Processing Standard (FIPS) 140 Validation
url: threat-protection/fips-140-validation.md
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Privacy controls
linkLists:
- linkListType: reference
- url: /mem/intune/protect/security-baselines
text: Security baselines with Intune
- url: /windows/deployment/windows-autopatch
text: Windows Autopatch
- url: /windows/deployment/windows-autopilot
text: Windows Autopilot
- url: /universal-print
text: Universal Print
- url: /windows/client-management/mdm/remotewipe-csp
text: Remote wipe
- url: /windows/security/cloud-security
text: Learn more about cloud security >
additionalContent:
sections:
- title: More Windows resources
items:
- title: Windows Server
links:
- text: Windows and Privacy Compliance
url: /windows/privacy/windows-10-and-privacy-compliance
- text: Windows Server documentation
url: /windows-server
- text: What's new in Windows Server 2022?
url: /windows-server/get-started/whats-new-in-windows-server-2022
- text: Windows Server blog
url: https://cloudblogs.microsoft.com/windowsserver/
- title: Windows product site and blogs
links:
- text: Find out how Windows enables your business to do more
url: https://www.microsoft.com/microsoft-365/windows
- text: Windows blogs
url: https://blogs.windows.com/
- text: Windows IT Pro blog
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
- text: Microsoft Intune blog
url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog
- text: "Windows help & learning: end-user documentation"
url: https://support.microsoft.com/windows
- title: Participate in the community
links:
- text: Windows community
url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10
- text: Microsoft Intune community
url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
- text: Microsoft Support community
url: https://answers.microsoft.com/windows/forum

39
windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -1,21 +1,21 @@
---
title: BitLocker overview
description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
description: Learn about BitLocker requirements, practical applications, and deprecated features.
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.topic: overview
ms.date: 08/03/2023
---
# BitLocker overview
Bitlocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes.\
Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\
BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
On computers that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
@ -27,30 +27,25 @@ Data on a lost or stolen device is vulnerable to unauthorized access, either by
BitLocker has the following hardware requirements:
For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker.
A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware.
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
> [!IMPORTANT]
> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
- For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware
- The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment
> [!NOTE]
> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
>
> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
- The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
> [!IMPORTANT]
> When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
>
> An encrypted partition can't be marked as active.
When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
> [!NOTE]
> When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]

2
windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
ms.date: 06/28/2023
ms.date: 08/03/2023
ms.topic: how-to
---

10
windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,13 +1,13 @@
---
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.date: 12/28/2022
ms.date: 08/03/2023
ms.topic: how-to
---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used:
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over Wi-Fi or VPN connections. The following scenarios are typically used:
- Connecting to a network using Wi-Fi or VPN
- Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials
@ -17,15 +17,15 @@ For example, you want to connect to a corporate network and access an internal w
The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
- For VPN, the VPN stack saves its credential as the **session default**
- For WiFi, Extensible Authentication Protocol (EAP) provides support
- For Wi-Fi, Extensible Authentication Protocol (EAP) provides support
The credentials are placed in Credential Manager as a *session credential*:
- A *session credential* implies that it is valid for the current user session
- The credentials are cleaned up when the WiFi or VPN connection is disconnected
- The credentials are cleaned up when the Wi-Fi or VPN connection is disconnected
> [!NOTE]
> In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager.
> In Windows 10, version 21H2 and later, the *session credential* isn't visible in Credential Manager.
For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations).

2
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 06/20/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

2
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
View File

@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

10
windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps.
ms.date: 05/23/2023
ms.date: 08/03/2023
ms.topic: conceptual
---
@ -17,10 +17,10 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
- Azure AD Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
- Password policy compliance
@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
At this time, the Azure AD certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
Server-side infrastructure requirements to support VPN device compliance include:
@ -91,7 +91,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related topics
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)

5
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -1,7 +1,7 @@
---
title: VPN connection types (Windows 10 and Windows 11)
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 05/24/2022
ms.date: 08/03/2023
ms.topic: conceptual
---
@ -16,6 +16,7 @@ There are many options for VPN clients. In Windows, the built-in plug-in and the
## Built-in VPN client
Tunneling protocols:
- [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)): configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
- [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10)): L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
- [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10))

2
windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

2
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
View File

@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

2
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: article
ms.date: 05/24/2023
ms.date: 08/03/2023
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client

5
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,13 +1,13 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 05/17/2018
ms.date: 08/03/2023
ms.topic: conceptual
---
# VPN profile options
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
Most of the VPN settings in Windows can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. VPN settings can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
>[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first.
@ -38,7 +38,6 @@ The following table lists the VPN settings and whether the setting can be config
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article.
## Sample Native VPN profile
The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.

2
windows/security/operating-system-security/network-security/vpn/vpn-routing.md
View File

@ -1,5 +1,5 @@
---
ms.date: 05/24/2023
ms.date: 08/03/2023
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: conceptual

2
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

6
windows/security/security-foundations/toc.yml
View File

@ -3,7 +3,13 @@ items:
href: index.md
- name: Zero Trust and Windows
href: zero-trust-windows-device-health.md
- name: Offensive research
items:
- name: Microsoft Security Development Lifecycle
href: msft-security-dev-lifecycle.md
- name: OneFuzz service
href: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
- name: Microsoft Windows Insider Preview bounty program 🔗
href: https://www.microsoft.com/msrc/bounty-windows-insider-preview
- name: Certification
href: certification/toc.yml

2
windows/security/toc.yml
View File

@ -1,6 +1,4 @@
items:
- name: Windows security
href: index.yml
- name: Introduction to Windows security
href: introduction.md
- name: Security features licensing and edition requirements