deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

credentialproviders, delegation, ui, cryptography, dataprotection

Browse Source
This commit is contained in:
Liz Long 2022-12-27 15:52:52 -05:00
parent 0ae3996e9d
commit bdfaa6e180
5 changed files with 512 additions and 497 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

279
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -1,200 +1,213 @@
--- ---
title: Policy CSP - CredentialProviders title: CredentialProviders Policy CSP
description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN. description: Learn more about the CredentialProviders Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- CredentialProviders-Begin -->
# Policy CSP - CredentialProviders # Policy CSP - CredentialProviders
> [!TIP] > [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> >
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- CredentialProviders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CredentialProviders-Editable-End -->
<hr/> <!-- AllowPINLogon-Begin -->
## AllowPINLogon
<!--Policies--> <!-- AllowPINLogon-Applicability-Begin -->
## CredentialProviders policies | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- AllowPINLogon-Applicability-End -->
<dl> <!-- AllowPINLogon-OmaUri-Begin -->
<dd> ```Device
<a href="#credentialproviders-allowpinlogon">CredentialProviders/AllowPINLogon</a> ./Device/Vendor/MSFT/Policy/Config/CredentialProviders/AllowPINLogon
</dd> ```
<dd> <!-- AllowPINLogon-OmaUri-End -->
<a href="#credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
</dd>
<dd>
<a href="#credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
</dd>
</dl>
<!-- AllowPINLogon-Description-Begin -->
<hr/> <!-- Description-Source-ADMX -->
<!--Policy-->
<a href="" id="credentialproviders-allowpinlogon"></a>**CredentialProviders/AllowPINLogon**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether a domain user can sign in using a convenience PIN. This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
> [!NOTE] Note: The user's domain password will be cached in the system vault when using this feature.
> The user's domain password will be cached in the system vault when using this feature.
To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
<!-- AllowPINLogon-Description-End -->
<!--/Description--> <!-- AllowPINLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowPINLogon-Editable-End -->
<!-- AllowPINLogon-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked--> | Property name | Property value |
ADMX Info: |:--|:--|
- GP Friendly name: *Turn on convenience PIN sign-in* | Format | chr (string) |
- GP name: *AllowDomainPINLogon* | Access Type | Add, Delete, Get, Replace |
- GP path: *System/Logon* <!-- AllowPINLogon-DFProperties-End -->
- GP ADMX file name: *credentialproviders.admx*
<!--/ADMXBacked--> <!-- AllowPINLogon-AdmxBacked-Begin -->
<!--/Policy--> > [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<hr/> **ADMX mapping**:
<!--Policy--> | Name | Value |
<a href="" id="credentialproviders-blockpicturepassword"></a>**CredentialProviders/BlockPicturePassword** |:--|:--|
| Name | AllowDomainPINLogon |
| Friendly Name | Turn on convenience PIN sign-in |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | AllowDomainPINLogon |
| ADMX File Name | CredentialProviders.admx |
<!-- AllowPINLogon-AdmxBacked-End -->
<!--SupportedSKUs--> <!-- AllowPINLogon-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowPINLogon-Examples-End -->
|Edition|Windows 10|Windows 11| <!-- AllowPINLogon-End -->
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- BlockPicturePassword-Begin -->
## BlockPicturePassword
<!--/SupportedSKUs--> <!-- BlockPicturePassword-Applicability-Begin -->
<hr/> | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- BlockPicturePassword-Applicability-End -->
<!--Scope--> <!-- BlockPicturePassword-OmaUri-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): ```Device
./Device/Vendor/MSFT/Policy/Config/CredentialProviders/BlockPicturePassword
```
<!-- BlockPicturePassword-OmaUri-End -->
> [!div class = "checklist"] <!-- BlockPicturePassword-Description-Begin -->
> * Device <!-- Description-Source-ADMX -->
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether a domain user can sign in using a picture password. This policy setting allows you to control whether a domain user can sign in using a picture password.
If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password.
If you disable or don't configure this policy setting, a domain user can set up and use a picture password. If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
> [!NOTE] Note that the user's domain password will be cached in the system vault when using this feature.
> The user's domain password will be cached in the system vault when using this feature. <!-- BlockPicturePassword-Description-End -->
<!--/Description--> <!-- BlockPicturePassword-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- BlockPicturePassword-Editable-End -->
<!-- BlockPicturePassword-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked--> | Property name | Property value |
ADMX Info: |:--|:--|
- GP Friendly name: *Turn off picture password sign-in* | Format | chr (string) |
- GP name: *BlockDomainPicturePassword* | Access Type | Add, Delete, Get, Replace |
- GP path: *System/Logon* <!-- BlockPicturePassword-DFProperties-End -->
- GP ADMX file name: *credentialproviders.admx*
<!--/ADMXBacked--> <!-- BlockPicturePassword-AdmxBacked-Begin -->
<!--/Policy--> > [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<hr/> **ADMX mapping**:
<!--Policy--> | Name | Value |
<a href="" id="credentialproviders-disableautomaticredeploymentcredentials"></a>**CredentialProviders/DisableAutomaticReDeploymentCredentials** |:--|:--|
| Name | BlockDomainPicturePassword |
| Friendly Name | Turn off picture password sign-in |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| Registry Value Name | BlockDomainPicturePassword |
| ADMX File Name | CredentialProviders.admx |
<!-- BlockPicturePassword-AdmxBacked-End -->
<!--SupportedSKUs--> <!-- BlockPicturePassword-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- BlockPicturePassword-Examples-End -->
|Edition|Windows 10|Windows 11| <!-- BlockPicturePassword-End -->
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DisableAutomaticReDeploymentCredentials-Begin -->
## DisableAutomaticReDeploymentCredentials
<!--/SupportedSKUs--> <!-- DisableAutomaticReDeploymentCredentials-Applicability-Begin -->
<hr/> | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- DisableAutomaticReDeploymentCredentials-Applicability-End -->
<!--Scope--> <!-- DisableAutomaticReDeploymentCredentials-OmaUri-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): ```Device
./Device/Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
```
<!-- DisableAutomaticReDeploymentCredentials-OmaUri-End -->
> [!div class = "checklist"] <!-- DisableAutomaticReDeploymentCredentials-Description-Begin -->
> * Device <!-- Description-Source-DDF -->
Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students.
<!-- DisableAutomaticReDeploymentCredentials-Description-End -->
<hr/> <!-- DisableAutomaticReDeploymentCredentials-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableAutomaticReDeploymentCredentials-Editable-End -->
<!--/Scope--> <!-- DisableAutomaticReDeploymentCredentials-DFProperties-Begin -->
<!--Description--> **Description framework properties**:
Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. | Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- DisableAutomaticReDeploymentCredentials-DFProperties-End -->
<!--/Description--> <!-- DisableAutomaticReDeploymentCredentials-AllowedValues-Begin -->
<!--SupportedValues--> **Allowed values**:
The following list shows the supported values:
0 - Enable the visibility of the credentials for Autopilot Reset | Value | Description |
1 - Disable visibility of the credentials for Autopilot Reset |:--|:--|
| 0 | Enable the visibility of the credentials for Autopilot Reset. |
| 1 (Default) | Disable visibility of the credentials for Autopilot Reset. |
<!-- DisableAutomaticReDeploymentCredentials-AllowedValues-End -->
<!--/SupportedValues--> <!-- DisableAutomaticReDeploymentCredentials-Examples-Begin -->
<!--/Policy--> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<hr/> <!-- DisableAutomaticReDeploymentCredentials-Examples-End -->
<!-- DisableAutomaticReDeploymentCredentials-End -->
<!-- CredentialProviders-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CredentialProviders-CspMoreInfo-End -->
<!--/Policies--> <!-- CredentialProviders-End -->
## Related topics ## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

133
windows/client-management/mdm/policy-csp-credentialsdelegation.md
View File

@ -1,95 +1,100 @@
--- ---
title: Policy CSP - CredentialsDelegation title: CredentialsDelegation Policy CSP
description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials. description: Learn more about the CredentialsDelegation Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- CredentialsDelegation-Begin -->
# Policy CSP - CredentialsDelegation # Policy CSP - CredentialsDelegation
> [!TIP] > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> >
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- CredentialsDelegation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CredentialsDelegation-Editable-End -->
<hr/> <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Begin -->
## RemoteHostAllowsDelegationOfNonExportableCredentials
<!--Policies--> <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Applicability-Begin -->
## CredentialsDelegation policies | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Applicability-End -->
<dl> <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-OmaUri-Begin -->
<dd> ```Device
<a href="#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials">CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials</a> ./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials
</dd> ```
</dl> <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-OmaUri-End -->
<!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Description-Begin -->
<!-- Description-Source-ADMX -->
Remote host allows delegation of non-exportable credentials
<hr/> When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host.
<!--Policy-->
<a href="" id="credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials"></a>**CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Remote host allows delegation of non-exportable credentials.
When credential delegation is being used, devices provide an exportable version of credentials to the remote host. This version exposes users to the risk of credential theft from attackers on the remote host.
If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
If you disable or don't configure this policy setting, Restricted Administration and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host. If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
<!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Description-End -->
<!--/Description--> <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Editable-End -->
<!-- RemoteHostAllowsDelegationOfNonExportableCredentials-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked--> | Property name | Property value |
ADMX Info: |:--|:--|
- GP Friendly name: *Remote host allows delegation of non-exportable credentials* | Format | chr (string) |
- GP name: *AllowProtectedCreds* | Access Type | Add, Delete, Get, Replace |
- GP path: *System/Credentials Delegation* <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-DFProperties-End -->
- GP ADMX file name: *CredSsp.admx*
<!--/ADMXBacked--> <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-AdmxBacked-Begin -->
<!--/Policy--> > [!TIP]
<hr/> > This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | AllowProtectedCreds |
| Friendly Name | Remote host allows delegation of non-exportable credentials |
| Location | Computer Configuration |
| Path | System > Credentials Delegation |
| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation |
| Registry Value Name | AllowProtectedCreds |
| ADMX File Name | CredSsp.admx |
<!-- RemoteHostAllowsDelegationOfNonExportableCredentials-AdmxBacked-End -->
<!--/Policies--> <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RemoteHostAllowsDelegationOfNonExportableCredentials-Examples-End -->
## Related topics <!-- RemoteHostAllowsDelegationOfNonExportableCredentials-End -->
<!-- CredentialsDelegation-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CredentialsDelegation-CspMoreInfo-End -->
<!-- CredentialsDelegation-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

215
windows/client-management/mdm/policy-csp-credentialsui.md
View File

@ -1,149 +1,166 @@
--- ---
title: Policy CSP - CredentialsUI title: CredentialsUI Policy CSP
description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences. description: Learn more about the CredentialsUI Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- CredentialsUI-Begin -->
# Policy CSP - CredentialsUI # Policy CSP - CredentialsUI
> [!TIP] > [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> >
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <!-- CredentialsUI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CredentialsUI-Editable-End -->
<!--Policies--> <!-- DisablePasswordReveal-Begin -->
## CredentialsUI policies ## DisablePasswordReveal
<dl> <!-- DisablePasswordReveal-Applicability-Begin -->
<dd> | Scope | Editions | Applicable OS |
<a href="#credentialsui-disablepasswordreveal">CredentialsUI/DisablePasswordReveal</a> |:--|:--|:--|
</dd> | :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<dd> <!-- DisablePasswordReveal-Applicability-End -->
<a href="#credentialsui-enumerateadministrators">CredentialsUI/EnumerateAdministrators</a>
</dd>
</dl>
<!-- DisablePasswordReveal-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal
```
<hr/> ```Device
./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal
```
<!-- DisablePasswordReveal-OmaUri-End -->
<!--Policy--> <!-- DisablePasswordReveal-Description-Begin -->
<a href="" id="credentialsui-disablepasswordreveal"></a>**CredentialsUI/DisablePasswordReveal** <!-- Description-Source-ADMX -->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure the display of the password reveal button in password entry user experiences. This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
If you enable this policy setting, the password reveal button won't be displayed after a user types a password in the password entry text box. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
If you disable or don't configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
This policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
<!-- DisablePasswordReveal-Description-End -->
<!--/Description--> <!-- DisablePasswordReveal-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisablePasswordReveal-Editable-End -->
<!-- DisablePasswordReveal-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked--> | Property name | Property value |
ADMX Info: |:--|:--|
- GP Friendly name: *Do not display the password reveal button* | Format | chr (string) |
- GP name: *DisablePasswordReveal* | Access Type | Add, Delete, Get, Replace |
- GP path: *Windows Components/Credential User Interface* <!-- DisablePasswordReveal-DFProperties-End -->
- GP ADMX file name: *credui.admx*
<!--/ADMXBacked--> <!-- DisablePasswordReveal-AdmxBacked-Begin -->
<!--/Policy--> > [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<hr/> **ADMX mapping**:
<!--Policy--> | Name | Value |
<a href="" id="credentialsui-enumerateadministrators"></a>**CredentialsUI/EnumerateAdministrators** |:--|:--|
| Name | DisablePasswordReveal |
| Friendly Name | Do not display the password reveal button |
| Location | Computer and User Configuration |
| Path | Windows Components > Credential User Interface |
| Registry Key Name | Software\Policies\Microsoft\Windows\CredUI |
| Registry Value Name | DisablePasswordReveal |
| ADMX File Name | CredUI.admx |
<!-- DisablePasswordReveal-AdmxBacked-End -->
<!--SupportedSKUs--> <!-- DisablePasswordReveal-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisablePasswordReveal-Examples-End -->
|Edition|Windows 10|Windows 11| <!-- DisablePasswordReveal-End -->
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- EnumerateAdministrators-Begin -->
## EnumerateAdministrators
<!--/SupportedSKUs--> <!-- EnumerateAdministrators-Applicability-Begin -->
<hr/> | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- EnumerateAdministrators-Applicability-End -->
<!--Scope--> <!-- EnumerateAdministrators-OmaUri-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): ```Device
./Device/Vendor/MSFT/Policy/Config/CredentialsUI/EnumerateAdministrators
```
<!-- EnumerateAdministrators-OmaUri-End -->
> [!div class = "checklist"] <!-- EnumerateAdministrators-Description-Begin -->
> * Device <!-- Description-Source-ADMX -->
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts aren't displayed when the user attempts to elevate a running application.
If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
If you disable this policy setting, users will always be required to type a user name and password to elevate. If you disable this policy setting, users will always be required to type a user name and password to elevate.
<!-- EnumerateAdministrators-Description-End -->
<!--/Description--> <!-- EnumerateAdministrators-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnumerateAdministrators-Editable-End -->
<!-- EnumerateAdministrators-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked--> | Property name | Property value |
ADMX Info: |:--|:--|
- GP Friendly name: *Enumerate administrator accounts on elevation* | Format | chr (string) |
- GP name: *EnumerateAdministrators* | Access Type | Add, Delete, Get, Replace |
- GP path: *Windows Components/Credential User Interface* <!-- EnumerateAdministrators-DFProperties-End -->
- GP ADMX file name: *credui.admx*
<!--/ADMXBacked--> <!-- EnumerateAdministrators-AdmxBacked-Begin -->
<!--/Policy--> > [!TIP]
<hr/> > This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnumerateAdministrators |
| Friendly Name | Enumerate administrator accounts on elevation |
| Location | Computer Configuration |
| Path | Windows Components > Credential User Interface |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\CredUI |
| Registry Value Name | EnumerateAdministrators |
| ADMX File Name | CredUI.admx |
<!-- EnumerateAdministrators-AdmxBacked-End -->
<!--/Policies--> <!-- EnumerateAdministrators-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnumerateAdministrators-Examples-End -->
## Related topics <!-- EnumerateAdministrators-End -->
<!-- CredentialsUI-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- CredentialsUI-CspMoreInfo-End -->
<!-- CredentialsUI-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

200
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -1,141 +1,129 @@
--- ---
title: Policy CSP - Cryptography title: Cryptography Policy CSP
description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy. description: Learn more about the Cryptography Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- Cryptography-Begin -->
# Policy CSP - Cryptography # Policy CSP - Cryptography
<!-- Cryptography-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Cryptography-Editable-End -->
<!-- AllowFipsAlgorithmPolicy-Begin -->
## AllowFipsAlgorithmPolicy
<hr/> <!-- AllowFipsAlgorithmPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- AllowFipsAlgorithmPolicy-Applicability-End -->
<!--Policies--> <!-- AllowFipsAlgorithmPolicy-OmaUri-Begin -->
## Cryptography policies ```Device
./Device/Vendor/MSFT/Policy/Config/Cryptography/AllowFipsAlgorithmPolicy
```
<!-- AllowFipsAlgorithmPolicy-OmaUri-End -->
<dl> <!-- AllowFipsAlgorithmPolicy-Description-Begin -->
<dd> <!-- Description-Source-DDF -->
<a href="#cryptography-allowfipsalgorithmpolicy">Cryptography/AllowFipsAlgorithmPolicy</a> Allows or disallows the Federal Information Processing Standard (FIPS) policy.
</dd> <!-- AllowFipsAlgorithmPolicy-Description-End -->
<dd>
<a href="#cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
</dd>
</dl>
<!-- AllowFipsAlgorithmPolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowFipsAlgorithmPolicy-Editable-End -->
<hr/> <!-- AllowFipsAlgorithmPolicy-DFProperties-Begin -->
**Description framework properties**:
<!--Policy--> | Property name | Property value |
<a href="" id="cryptography-allowfipsalgorithmpolicy"></a>**Cryptography/AllowFipsAlgorithmPolicy** |:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowFipsAlgorithmPolicy-DFProperties-End -->
<!--SupportedSKUs--> <!-- AllowFipsAlgorithmPolicy-AllowedValues-Begin -->
**Allowed values**:
|Edition|Windows 10|Windows 11| | Value | Description |
|--- |--- |--- | |:--|:--|
|Home|No|No| | 1 | Allow |
|Pro|Yes|Yes| | 0 (Default) | Block |
|Windows SE|No|Yes| <!-- AllowFipsAlgorithmPolicy-AllowedValues-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowFipsAlgorithmPolicy-GpMapping-Begin -->
**Group policy mapping**:
<!--/SupportedSKUs--> | Name | Value |
<hr/> |:--|:--|
| Name | System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- AllowFipsAlgorithmPolicy-GpMapping-End -->
<!--Scope--> <!-- AllowFipsAlgorithmPolicy-Examples-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowFipsAlgorithmPolicy-Examples-End -->
> [!div class = "checklist"] <!-- AllowFipsAlgorithmPolicy-End -->
> * Device
<hr/> <!-- TLSCipherSuites-Begin -->
## TLSCipherSuites
<!--/Scope--> <!-- TLSCipherSuites-Applicability-Begin -->
<!--Description--> | Scope | Editions | Applicable OS |
This policy setting allows or disallows the Federal Information Processing Standard (FIPS) policy. |:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- TLSCipherSuites-Applicability-End -->
<!--/Description--> <!-- TLSCipherSuites-OmaUri-Begin -->
<!--ADMXMapped--> ```Device
ADMX Info: ./Device/Vendor/MSFT/Policy/Config/Cryptography/TLSCipherSuites
- GP Friendly name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing* ```
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* <!-- TLSCipherSuites-OmaUri-End -->
<!--/ADMXMapped--> <!-- TLSCipherSuites-Description-Begin -->
<!--SupportedValues--> <!-- Description-Source-DDF -->
The following list shows the supported values: Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
<!-- TLSCipherSuites-Description-End -->
0 (default) Not allowed. <!-- TLSCipherSuites-Editable-Begin -->
1 Allowed. <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!--/SupportedValues--> <!-- TLSCipherSuites-Editable-End -->
<!--Example-->
<!--/Example--> <!-- TLSCipherSuites-DFProperties-Begin -->
<!--Validation--> **Description framework properties**:
<!--/Validation--> | Property name | Property value |
<!--/Policy--> |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- TLSCipherSuites-DFProperties-End -->
<hr/> <!-- TLSCipherSuites-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TLSCipherSuites-Examples-End -->
<!--Policy--> <!-- TLSCipherSuites-End -->
<a href="" id="cryptography-tlsciphersuites"></a>**Cryptography/TLSCipherSuites**
<!--SupportedSKUs--> <!-- Cryptography-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Cryptography-CspMoreInfo-End -->
|Edition|Windows 10|Windows 11| <!-- Cryptography-End -->
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
## Related articles
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
<!--/Description-->
<!--ADMXMapped-->
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

182
windows/client-management/mdm/policy-csp-dataprotection.md
View File

@ -1,129 +1,121 @@
--- ---
title: Policy CSP - DataProtection title: DataProtection Policy CSP
description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. description: Learn more about the DataProtection Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- DataProtection-Begin -->
# Policy CSP - DataProtection # Policy CSP - DataProtection
<!-- DataProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DataProtection-Editable-End -->
<!-- AllowDirectMemoryAccess-Begin -->
## AllowDirectMemoryAccess
<hr/> <!-- AllowDirectMemoryAccess-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
<!-- AllowDirectMemoryAccess-Applicability-End -->
<!--Policies--> <!-- AllowDirectMemoryAccess-OmaUri-Begin -->
## DataProtection policies ```Device
./Device/Vendor/MSFT/Policy/Config/DataProtection/AllowDirectMemoryAccess
```
<!-- AllowDirectMemoryAccess-OmaUri-End -->
<dl> <!-- AllowDirectMemoryAccess-Description-Begin -->
<dd> <!-- Description-Source-DDF -->
<a href="#dataprotection-allowdirectmemoryaccess">DataProtection/AllowDirectMemoryAccess</a> This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker Device Encryption is enabled. Most restricted value is 0.
</dd> <!-- AllowDirectMemoryAccess-Description-End -->
<dd>
<a href="#dataprotection-legacyselectivewipeid">DataProtection/LegacySelectiveWipeID</a>
</dd>
</dl>
<!-- AllowDirectMemoryAccess-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowDirectMemoryAccess-Editable-End -->
<hr/> <!-- AllowDirectMemoryAccess-DFProperties-Begin -->
**Description framework properties**:
<!--Policy--> | Property name | Property value |
<a href="" id="dataprotection-allowdirectmemoryaccess"></a>**DataProtection/AllowDirectMemoryAccess** |:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- AllowDirectMemoryAccess-DFProperties-End -->
<!--SupportedSKUs--> <!-- AllowDirectMemoryAccess-AllowedValues-Begin -->
**Allowed values**:
|Edition|Windows 10|Windows 11| | Value | Description |
|--- |--- |--- | |:--|:--|
|Home|No|No| | 0 | Not allowed. |
|Pro|Yes|Yes| | 1 (Default) | Allowed. |
|Windows SE|No|Yes| <!-- AllowDirectMemoryAccess-AllowedValues-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowDirectMemoryAccess-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowDirectMemoryAccess-Examples-End -->
<!--/SupportedSKUs--> <!-- AllowDirectMemoryAccess-End -->
<hr/>
<!--Scope--> <!-- LegacySelectiveWipeID-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): ## LegacySelectiveWipeID
> [!div class = "checklist"] <!-- LegacySelectiveWipeID-Applicability-Begin -->
> * Device | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- LegacySelectiveWipeID-Applicability-End -->
<hr/> <!-- LegacySelectiveWipeID-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DataProtection/LegacySelectiveWipeID
```
<!-- LegacySelectiveWipeID-OmaUri-End -->
<!--/Scope--> <!-- LegacySelectiveWipeID-Description-Begin -->
<!--Description--> <!-- Description-Source-DDF -->
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe.
Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. **Note**: This policy is not recommended for use in Windows 10.
<!-- LegacySelectiveWipeID-Description-End -->
Most restricted value is 0. <!-- LegacySelectiveWipeID-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LegacySelectiveWipeID-Editable-End -->
<!--/Description--> <!-- LegacySelectiveWipeID-DFProperties-Begin -->
<!--SupportedValues--> **Description framework properties**:
The following list shows the supported values:
- 0 Not allowed. | Property name | Property value |
- 1 (default) Allowed. |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- LegacySelectiveWipeID-DFProperties-End -->
<!--/SupportedValues--> <!-- LegacySelectiveWipeID-Examples-Begin -->
<!--/Policy--> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LegacySelectiveWipeID-Examples-End -->
<hr/> <!-- LegacySelectiveWipeID-End -->
<!--Policy--> <!-- DataProtection-CspMoreInfo-Begin -->
<a href="" id="dataprotection-legacyselectivewipeid"></a>**DataProtection/LegacySelectiveWipeID** <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- DataProtection-CspMoreInfo-End -->
<!--SupportedSKUs--> <!-- DataProtection-End -->
|Edition|Windows 10|Windows 11| ## Related articles
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
Setting used by Windows 8.1 Selective Wipe.
> [!NOTE]
> This policy is not recommended for use in Windows 10.
<!--/Description-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)